SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Similar documents
Web Application Report

Learn Ethical Hacking, Become a Pentester

Criteria for web application security check. Version

(WAPT) Web Application Penetration Testing

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Attack Vector Detail Report Atlassian

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Where every interaction matters.

Validation Procedure. ANNEX 4. Security Testing Basis

Web App Security Audit Services

Web Application Security

Network Security Audit. Vulnerability Assessment (VA)

Application Security Testing

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Last update: February 23, 2004

Security Testing Tools

Essential IT Security Testing

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Executive Summary On IronWASP

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

The Top Web Application Attacks: Are you vulnerable?

SAST, DAST and Vulnerability Assessments, = 4

Sample Report. Security Test Plan. Prepared by Security Innovation

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Security and Vulnerability Testing How critical it is?

Web Application Penetration Testing

Chapter 1 Web Application (In)security 1

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

CRYPTUS DIPLOMA IN IT SECURITY

Vulnerability Assessment and Penetration Testing

Penetration Testing. Presented by

Secure Web Applications. The front line defense

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Strategic Information Security. Attacking and Defending Web Services

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Web Application Vulnerability Testing with Nessus

Client logo placeholder XXX REPORT. Page 1 of 37

Rational AppScan & Ounce Products


ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Thick Client Application Security

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

What is Web Security? Motivation

Overview of the Penetration Test Implementation and Service. Peter Kanters

elearning for Secure Application Development

Penetration Testing Report Client: Business Solutions June 15 th 2015

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

METHODS TO TEST WEB APPLICATION SCANNERS

BlackBerry Website and Web Application Penetration Testing Service

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Chapter 4 Application, Data and Host Security

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Certified Secure Web Application Security Test Checklist

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

NetBrain Security Guidance

Web Security Testing Cookbook*

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Information Security. Training

Penetration Testing Automation System

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Understanding Security Testing

Demystifying Penetration Testing

Workday Mobile Security FAQ

Sitefinity Security and Best Practices

Web application security: automated scanning versus manual penetration testing.

Vinny Hoxha Vinny Hoxha 12/08/2009

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Security Goals Services

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Network Test Labs (NTL) Software Testing Services for igaming

Pen Testing Methodology Gueststealer TomCat Zero Day Directory Traversal VASTO

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Real World Web Service Testing For Web Hackers

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Transcription:

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN Final Version 1.0

Preconditions This security testing plan is dependent on the following preconditions: 1. Sufficient information is provided to the Security Tester(s) by the System Owner in order to carry out the proposed security testing procedures. This includes, but is not limited to: a. Location (addresses, domains, URLs) of web resources and applications. b. Authentication credentials representing each user group to be tested (see Scope). c. Sufficient information about any Web Services (e.g. location of WSDL file, XML schema, sample test SOAP messages, valid encryption certificates) to communicate via SOAP Web Services messaging tools. 2. Approval for the proposed security testing is provided to the Security Tester(s) by the System Owner. Specifically, approval for the activities described in Annex A: Rules of Engagement is sought. The signing of this Security Testing Plan serves as the authorisation and entitlement for the Security Tester(s) to access the system (Paragraph 476.2, Cybercrime Act 2003). 3. Acknowledgement from the System Owner is provided to the Security Tester(s) that appropriate procedures have been put in place to recover from a system crash of the infrastructure being tested, and to recover from the corruption of any databases that might be affected from the security testing. AMS SMARTBASE - Security Test Plan P a g e 2

Test Conditions Objective The primary objective of the ASC is to independently test the effectiveness of the SMARTBASE system security controls by commissioning a Security Test. The goal of this task is to ensure the SMARTBASE web application hosted by the ASC meets ISM compliance and technical security objectives, and achieves system certification and accreditation. Scope The scope of work for this engagement is primarily to conduct penetration testing and security assessment of the SMARTBASE web application. The SMARTBASE web application is hosted at the following address: External: https://ams.ausport.gov.au (IP Address: 192.188.101.97) Internal: 172.20.24.10 The users/roles to be tested will include: Administrator; Coach; and Athlete. Methodology Cordelta s web security testing methodology is based on Open Web Application Security Project (OWASP), a globally recognised security testing methodology. The OWASP documentation is also recommended by DSD as detailed in the Australian Government ICT Security Manual (ISM): Control 0971: It is recommended agencies follow the documentation provided in the Open Web Application Security Project guide to building secure web applications and web services. In order to tailor the assessment to the requirements, Cordelta will conduct a subset of the OWASP security test cases which will be negotiated with Dean Herpen, Business and System Owner. The test cases outside the scope of this engagement will be clearly identified, while those within the scope will provide succinct results for each test case. The results of both positive and negative test cases and the tools and techniques to complete these test cases will be shared with ASC staff and stakeholders. Cordelta s approach to the security testing of web infrastructure, applications and services for this engagement comprises the following tasks: Phase 1 - Scoping This phase develops the scope for the testing both in terms of identifying the assets to be tested, and in terms of the test cases to which these assets will be subjected. The identification of assets also identifies the system representatives who must authorise the security testing and to whom the results will be reported. AMS SMARTBASE - Security Test Plan P a g e 3

Tools Phase 2 - Threat Modelling This phase is concerned with developing an accurate threat model, which ensures the test results are relevant to the business process supported by the target system. The threat model for the application will be drawn from the existing security documentation. Phase 3 - Execute Test Cases This phase executes the test cases that have been negotiated with the system representatives. Test cases are selected based on those most appropriate to meet the stated testing objectives. The Security Testing activities performed by Cordelta utilise a range of tools running on Unix and Microsoft platforms. These tools are used to identify ports and services that are open to the Internet, systems configurations, system and device settings and known vulnerabilities. Based on the initial information gathered, the following open source and commercial tools listed below may be used in Cordelta s testing of web applications. Testing is conducted using virtual machines stored on partitions encrypted with AES using TrueCrypt. Phase 4 - Analysis and Reporting In this phase, all collected data and the results of the scans, probes and attempted exploits are analysed, and a report detailing the findings and recommendations is developed. Cordelta utilises industry standard tools to undertake its security testing. As we base our testing methodologies and tools on open standards and common products we are willing to share the toolsets employed during security testing. Documentation Open Security Testing Methodology Manual (OSSTMM), Version 3 Open Web Application Security Project (OWASP) Testing Guide, Version 3 The Penetration Testing Execution Standard (PTES), http://www.pentest-standard.org NIST SP800-44-rev2 Guidelines on Securing Public Web Severs NIST SP800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Protective Security Policy Framework (PSPF) Australian Government Information Security Manual (ISM) 2012 Release Software VMware Workstation BackTrack 5 Linux MetaSploit 3 Framework Nessus GFI LANGuard AMS SMARTBASE - Security Test Plan P a g e 4

Testing will be conducted on Cordelta infrastructure that utilises Truecrypt disk encryption to protect data at rest. All deliverables will be transferred to ASC via write-once media and delivered by hand to the point of contact for this engagement. Deliverables The primary deliverable for this engagement is: 1. Security Test Report which will include the following: Executive Summary Explanation of scope of work and the approach taken Summary of results with identified issues Security Assessment of vulnerabilities and impacts Recommendations for mitigation Detailed technical report Resources The penetration testing and security assessment of the SMARTBASE web application will be conducted by Chris Marklew and Rebecca Buksh. Chris and Rebecca currently hold a Negative Vetting 1 (NV1) security clearance. Schedule Activity Deliverable Date (Inclusive) Estimated Effort (Days) Execute Test Cases - 15/04/2013 18/04/2013 4 Vulnerability Assess iphone - 19/04/2013 1 Application Risk and Impact Assessment - 20/04/2013 1 of Findings Draft Security Test Report Security Test Report 21/04/2013 22/04/2013 2 8 Days *Note: Client debrief will be conducted on the morning of Friday 19 th April 2013, if any critical/ high vulnerabilities are identified. AMS SMARTBASE - Security Test Plan P a g e 5

Test Cases The Security Test Plan comprises of test cases that comply with the OWASP Testing Guide v3.0 web application testing methodology. Category Test Reference Information Gathering OWASP-IG-001 Spiders, Robots and Crawlers Configuration Management OWASP-IG-002 OWASP-IG-003 OWASP-IG-004 OWASP-IG-005 OWASP-IG-006 OWASP-CM-001 OWASP-CM-002 OWASP-CM-003 OWASP-CM-004 OWASP-CM-005 OWASP-CM-006 OWASP-CM-007 OWASP-CM-008 Test Case Search Engine Discovery / Reconnaissance Identify application entry points Testing for Web Application Fingerprint Application Discovery Analysis of Error Codes / Information Leakage SSL / TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity) DB Listener Testing Infrastructure Configuration Management Testing Application Configuration Management Testing (including Hidden Field analysis and Code Review) Testing for File Extensions Handling Old, backup and unreferenced files Infrastructure and Application Admin Interfaces Testing for HTTP Methods and XST Authentication OWASP-AT-001 Credentials transport over an encrypted channel OWASP-AT-002 OWASP-AT-003 OWASP-AT-004 OWASP-AT-005 OWASP-AT-006 OWASP-AT-007 OWASP-AT-008 OWASP-AT-009 OWASP-AT-010 Testing for user enumeration Testing for Guessable (Dictionary) User Account Brute Force Testing Testing for bypassing authentication schema Testing for vulnerable remember password and password reset Testing for Logout and Browser Cache Management Testing for CAPTCHA Testing Multiple Factors Authentication Testing for Race Conditions Session Management OWASP-SM-001 Testing for Session Management Schema Authorisation OWASP-SM-002 OWASP-SM-003 OWASP-SM-004 OWASP-SM-005 OWASP-AZ-001 OWASP-AZ-002 Testing for Cookies attributes Testing for Session Fixation and Hijacking Testing for Exposed Session Variables Testing for Cross Site Request Forgery Testing for Path Traversal / Direct Object Reference / URL Manipulation Testing for bypassing authorisation schema AMS SMARTBASE - Security Test Plan P a g e 6

Category Test Reference OWASP-AZ-003 Testing for Privilege Escalation Business Logic OWASP-BL-001 Business logic testing Test Case Data (Input) Validation OWASP-DV-001 Testing for Reflected Cross Site Scripting Denial of Service (Allowed with minimal impact. Required to generate noise and therefore trigger Alerts.) OWASP-DV-002 OWASP-DV-003 OWASP-DV-004 OWASP-DV-005 OWASP-DV-006 OWASP-DV-007 OWASP-DV-008 OWASP-DV-009 OWASP-DV-010 OWASP-DV-011 OWASP-DV-012 OWASP-DV-013 OWASP-DV-014 OWASP-DV-015 OWASP-DV-016 OWASP-DS-001 OWASP-DS-002 OWASP-DS-003 OWASP-DS-004 OWASP-DS-005 OWASP-DS-006 OWASP-DS-007 OWASP-DS-008 Testing for Stored Cross Site Scripting Testing for DOM based Cross Site Scripting Testing for Cross Site Flashing SQL Injection LDAP Injection ORM Injection XML Injection SSI Injection XPath Injection IMAP/SMTP Injection Code and Content Injection OS Commanding Buffer overflow (including Format String) Incubated vulnerability Testing Testing for HTTP Splitting/Smuggling Testing for SQL Wildcard Attacks Locking Customer Accounts Buffer Overflows User Specified Object Allocation User Input as a Loop Counter Writing User Provided Data to Disk Failure to Release Resources Storing too much Data in a Session Web Services OWASP-WS-001 WS Information Gathering OWASP-WS-002 OWASP-WS-003 OWASP-WS-004 OWASP-WS-005 OWASP-WS-006 OWASP-WS-007 Testing WSDL XML Structural Testing Content-level Testing HTTP GET parameters / REST Testing Naughty SOAP attachments Replay Testing AJAX Testing OWASP-AJ-001 AJAX vulnerabilities OWASP-AJ-002 AJAX testing AMS SMARTBASE - Security Test Plan P a g e 7

Annex A: Rules of Engagement The Rules of Engagement (RoE) provide a summarised list of which activities may be performed and those that are expressly forbidden. Activity Network Infrastructure Scanning and Vulnerability Identification Web Application and Services Scanning and Vulnerability Identification Network Infrastructure Vulnerability Probing and Proof of Concept (PoC) Web Application and Services Vulnerability Probing and Proof of Concept (PoC) Network Infrastructure Vulnerability Exploitation Web Application and Services Vulnerability Exploitation Denial of Service (DoS) Testing and Exploitation Modification of Data Brute Force Login Attempts Execution Permission The Project Manager and Primary Contact acknowledge: Testing of the web application will be conducted externally to the Commission. Testing of Network Infrastructure components will be excluded from testing. That the testing and/or exploitation of some vulnerabilities may cause disruptions to services on Servers, Devices and Services under review; It is the System Owner s responsibility to maintain backups and other means of recovering services and data that may be adversely affected; It is the System Owner s responsibility to inform the Primary Contact of any detected adverse effects caused by testing and early termination of testing if required due to these adverse effects; It is the System Owner s responsibility to obtain permission to carry out testing on third party owned systems and devices that are included in the scope for testing; It is the System Owner s responsibility to inform any third parties connecting to systems of the testing and potential disruptions to services; It is the System Owner s responsibility to verify the accuracy of the resource locators that are included in the Scope prior to commencement of security testing; Agreement to inform Primary Contact immediately of any changes to ownership of above application, or the inclusion of any third party servers, devices and services used by the application; Agreement to the Schedule of testing as listed in this document, and to inform Primary Contact immediately if a variation to the schedule is required; and AMS SMARTBASE - Security Test Plan P a g e 8

The results of vulnerability identification and exploitation is neither conclusive or static. Vulnerabilities and exploits are continually discovered and developed resulting in the findings of the security test having a limited shelf life. AMS SMARTBASE - Security Test Plan P a g e 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information