G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Similar documents
External Supplier Control Requirements

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

The Cyber Threat Profiler

Web App Security Audit Services

Protecting Your Organisation from Targeted Cyber Intrusion

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Enterprise level security, the Huddle way.

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Web application security: automated scanning versus manual penetration testing.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Juniper Networks Secure

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

A Decision Maker s Guide to Securing an IT Infrastructure

External Supplier Control Requirements

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Cisco Advanced Services for Network Security

Security Controls for the Autodesk 360 Managed Services

CONTENTS. PCI DSS Compliance Guide

THE HACKERS NEXT TARGET

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Passing PCI Compliance How to Address the Application Security Mandates

Information Security. Training

QuickBooks Online: Security & Infrastructure

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Enterprise Computing Solutions

05.0 Application Development

SERENA SOFTWARE Serena Service Manager Security

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Reference Architecture: Enterprise Security For The Cloud

IBM QRadar Security Intelligence April 2013

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

FISMA / NIST REVISION 3 COMPLIANCE

IT Security. Securing Your Business Investments

Standard: Web Application Development

Security and Vulnerability Testing How critical it is?

Cutting Edge Practices for Secure Software Engineering

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Attack Vector Detail Report Atlassian

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Bio-inspired cyber security for your enterprise

developing your potential Cyber Security Training

Fujitsu s Approach to Cloud-related Information Security

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

THE BLUENOSE SECURITY FRAMEWORK

Developing Secure Software in the Age of Advanced Persistent Threats

The Business Case for Security Information Management

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Understanding Sage CRM Cloud

Strategic Information Security. Attacking and Defending Web Services

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

elearning for Secure Application Development

Now Is the Time for Security at the Application Level

Cloud Security Who do you trust?

Cisco Security Optimization Service

Application Security in the Software Development Lifecycle

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Advanced Service Desk Security

Making your web application. White paper - August secure

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Information Security Services

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Adobe Systems Incorporated

IBM Managed Security Services Vulnerability Scanning:

ensuring security the way how we do it

Secure Web Applications. The front line defense

ISSECO Syllabus Public Version v1.0

Penetration Testing Service. By Comsec Information Security Consulting

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

FileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Cloud Security: An Independent Assessent

How To Audit Health And Care Professions Council Security Arrangements

F5 and Microsoft Exchange Security Solutions

DANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire

Reducing Application Vulnerabilities by Security Engineering

ADC Survey GLOBAL FINDINGS

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

CloudDesk - Security in the Cloud INFORMATION

Software Application Control and SDLC

Society for Information Management

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Rational AppScan & Ounce Products

Acano solution. Security Considerations. August E

Preemptive security solutions for healthcare

Transcription:

Description C Service Overview G- Cloud Specialist Cloud Services Security and Penetration Testing This document provides a description of TVS s Security and Penetration Testing Service offered under the G- Cloud Specialist Cloud Services category. Prepared for: Revision: Revision date: The Digital Marketplace Version 1.0 17 th December 2014 Test and Verification Solutions Engine Shed, Station Approach Temple Meads, Bristol BS1 6QH, United Kingdom t: +44 (0)117 903 1100 f: +44 (0)117 903 9001 e: info@testandverification.com Follow- us: @testandverif www.testandverification.com

Revision History Date Version Author Comments 17 th December 2014 1.0 TVS Initial version Legal and Copyright Information The information in this document is confidential and may be legally privileged. It has been made publically available on the Digital Marketplace by TVS but TVS does not consent to the information contained within this document being copied, modified or reproduced in any way other than for the purpose of evaluating TVS s service offering as part of a customer purchasing process. The reproduction or distribution of this document in whole or in part for any other purpose is strictly forbidden. The TVS logo is a trademark of Test and Verification Solutions Limited. All other product names, trademarks and/or company names are used solely for identification and belong to their respective owners. 2 TVS CONFIDENTIAL

Table of Contents 1 Service Name... 4 2 Service Type... 4 3 Service Overview... 5 3.1 Application Security... 5 3.1.1 Security by Design... 5 3.1.2 Security by Coding... 5 3.1.3 Security by Testing... 6 3.2 Penetration Testing... 6 4 Service Delivery... 8 5 Service Management... 9 5.1 Monitoring Engagements... 9 5.2 Information Assurance and Security... 9 6 Customer Responsibilities... 9 7 Ordering and Invoicing Process... 10 7.1.1 Service Ordering... 10 7.1.2 Invoicing... 10 8 Termination Terms... 11 9 About TVS... 12 3 TVS CONFIDENTIAL

1 Service Name TVS Security and Penetration Testing Service 2 Service Type Specialist Cloud Service for Testing and Training The TVS Security and Penetration Testing Service offers public sector organisations a comprehensive set of application security and penetration testing services to meet their needs for ensuring the security of Cloud applications as well as other types of applications. Applications may be created by bespoke development or the configuration of commercial solutions, and may either be stand- alone or integrated with other applications and/or external systems. Penetration Testing is an essential activity in ensuring that security vulnerabilities are removed from software applications. TVS offers cost- effective Penetration Testing that harmlessly mimics the investigations and attack vectors used by malicious hackers. We go beyond automated scanning and make intelligent use of tools combined with human expertise in our inspections. Conventional security investments concentrate on perimeter defences such as Firewalls, Intrusion Detection and Prevention Systems, but this network- biased approach is now vulnerable as malicious attackers target the applications and can outwit and breach perimeter defences. This means the security battle can be lost if applications are not designed, coded, and tested to defend themselves. The TVS Application Security Service bridges the crucial security gap between perimeter defences and penetration testing, with our deep defence approach resulting in self- protecting applications that deny access to attackers when the network boundary is breached: Context- based Security Coaching of project teams Permanently relocates security knowledge from expert silos to project teams Bridges the gap between perimeter defences and undirected Penetration Testing Replaces Passive testing with Assertive testing techniques By coaching your teams we can provide them with the knowledge they require to start incorporating security throughout the project lifecycle and focus on delivering applications that do what you want them to, while stopping attackers doing what they want to. To help our customers evaluate the quality of the TVS Application Security Service the following two Whitepapers: Web Application Security Guidelines (for designers and developers) Web Application Security Testing Procedures (for testers and test managers) are available for FREE download on our website: www.testandverification.com/solutions/security/reducing- the- top- ten- most- critical- web- application- security- flaws/ We help you build systems that are secure through Design, Coding, and Testing. 4 TVS CONFIDENTIAL

3 Service Overview 3.1 Application Security The TVS Application Security Service helps organisations develop the right mind- set to think like attackers trying to break application security and treating application security as part of the normal systems development and maintenance process rather than the costly alternative of reacting to a breach. It creates defence- in- depth against attackers, beyond the network- only approach. By coaching your teams TVS can provide them with the knowledge they require to start incorporating security throughout the project life- cycle and focus on delivering applications that do what you want them to, while stopping attackers doing what they want to. The TVS security coaching solution is tailored to the needs of the individuals in your project teams without disrupting your current development schedules by sending them away on abstract training courses, keeping your teams working productively while they acquire the skills required to Design, Code and Test applications that are resilient to attack. 3.1.1 Security by Design Design flaws account for 50% of software security issues (IEEE Centre for Secure Design). TVS can provide security coaching for architects, analysts, and project managers. Review and make recommendations with regard to the SDLC process, policies, standards, threat modelling, and design specifications for trust, authentication, access control, validation, cryptography, data, usability, component integration, and maintenance. Architect it right from the start. 3.1.2 Security by Coding The Massachusetts Institute of Technology Research (MITRE) has identified 700 kinds of software security weakness, yet 60% of developers are not concerned about security. 96% of applications contain vulnerabilities with a median of 14 per application (Cenzic). TVS offers secure code and database coaching for technical leads, developers, and DBAs. TVS will also review and make recommendations with regard to: Static and dynamic scanning for vulnerabilities Manual code inspection Reviews of technical controls for authentication, authorization, session management, input validation, output encoding, error handling, deployment, patching, and cryptography Reviewing code for vulnerabilities (buffer overflows, OS injection, SQL Injection, data validation and protection, cross- site scripting, cross- site request forgery, logging, session integrity, race conditions) Database security File management Memory management Reviewing framework- specific issues Coding self- aware application sensors. Ensure your teams are building secure applications. 5 TVS CONFIDENTIAL

3.1.3 Security by Testing If an organization can t test for security in the applications it develops, it should be no surprise if those applications contain vulnerabilities that will be found and exploited by malicious persons sooner or later. TVS provides security testing coaching for test managers and testers. TVS will also review and make recommendations for identifying security test requirements, including: Information gathering Analyzing application security Testing configuration management Testing client- side and server- side controls Testing authentication Testing session management Testing logic flaws Testing access controls Testing input vulnerabilities Testing function- specific vulnerabilities Testing shared hosting vulnerabilities Testing application server vulnerabilities Testing DOM- based attacks Validating local privacy Testing SSL ciphers Testing same- origin configuration Testing information leakage Security testing tools Using fuzzing Understanding perimeter defences Penetration testing Identification of security tests that can be done in- house and directing specialist testing of those which cannot (yet). Demonstrate your applications are secure. 3.2 Penetration Testing TVS Penetration Tests target specific areas of risk, prove that an application development is being done with security in mind, find vulnerabilities and provide good advice on fixing them. The TVS Penetration Testing experts will take care of the highly technical tests and work with your project teams to investigate those hard- to- find vulnerabilities. The TVS Penetration Testing service includes: Web Application Penetration Testing: TVS will conduct information gathering, analyse the application security features, test configuration management, test client- side and server- side controls, test authentication, test session management, test logic flaws, test access controls, test input vulnerabilities, test function- specific vulnerabilities, test shared hosting vulnerabilities, test application server vulnerabilities, test DOM- based attacks, validate local privacy, test SSL ciphers, test same- origin configuration, and test for information leakage. 6 TVS CONFIDENTIAL

Network Penetration Testing: TVS will identify network vulnerabilities by: Infrastructure vulnerability scanning, infrastructure penetration testing, cloud and virtual hosting penetration testing. The vulnerabilities we target are: Weak passwords, weak encryption, insecure ciphers and protocols, man- in- the- middle, un- patched servers, and shared server hosting. TVS experts will prepare a Penetration Testing Report that includes detailed information on the identified risks, vulnerability findings and an action plan to apply fixes. If necessary, post- exploitation (clean- up) work such as removing traces, backdoors, and deleting logs will also be conducted. With TVS Penetration Tests you will be able to: Determine the feasibility of attack vectors and validate risk assessments Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software Identify higher- risk vulnerabilities that result from a combination of lower- risk vulnerabilities exploited in a particular sequence Assess the potential impacts to business continuity of successful attacks Test the ability of defenders to successfully detect and respond to the attacks Our penetration testing experts will help you build layered security into your organisation at any and every stage of the Security Development Lifecycle with the minimum of disruption to project development. To ensure your applications are fully secure combine our Penetration Testing with our Application Security Service. Don t Let Application Vulnerabilities Put Your Business at Risk 7 TVS CONFIDENTIAL

4 Service Delivery TVS offers flexible delivery model for its Security and Penetration Testing services both in terms of engagement options and work location. The flexible engagement options are described in Section 7 (Ordering and Invoicing Process) below. Application Security coaching will take place primarily on your site, working alongside your project teams. However related activities can be carried out either on your site, at TVS s UK offices, offshore at TVS test centres in India or as a blended model with a security testing team split between onsite and offshore. Penetration Testing can be conducted offshore at TVS test centres in India where the application to be tested is deployed and can be remotely accessed. TVS is flexible in its approach, engaging with our customers using the most suitable and cost- effective model for them. Because of this we offer you exceptional value for money when you engage with us. 8 TVS CONFIDENTIAL

5 Service Management 5.1 Monitoring Engagements For each Application Security or Penetration Testing Service engagement, TVS will appoint a service delivery manager to monitor the engagement. It will also be monitored by the TVS senior delivery management team who meet weekly to review all engagements. For each engagement, TVS will: n Deliver an implementation plan in the form of a Work Breakdown Structure (WBS) at the start of the engagement which will also include a risk log n Produce weekly reports that identify: A summary of the progress made during that week An updated plan and status Any dependencies or blocks on progress Any issues affecting progress Any new risks identified or updates to mitigation activities for known risks An updated Actions and Decisions spreadsheet with updates on agreed actions and any project decisions n Hold weekly Progress Review conferences with the nominated customer contact for the engagement to discuss the weekly reports. 5.2 Information Assurance and Security TVS complies with the ISO27001 Information Assurance standard. We take very seriously the security of all customer information we are entrusted with and all access to customer information we are granted. When working onsite, our staff comply with local information security policies. When working remotely, either in our UK offices or at our offshore test centres, we agree with you the policy for both the location of and access to any sensitive information, including software. Our offices and test centres offer a high level of physical and environmental security, secure communications and operations management, and granular access control to all software and information. However, where preferred by a customer, we can arrange for our services to be delivered with secure access to software and information held on the customer s servers in the Cloud or in their/third party data centres, and with all downloading of software and information prohibited. 6 Customer Responsibilities Our aim is to take management responsibility for our Security and Penetration Testing Services, minimising the management overhead of our customers. When an engagement is onsite, the customer typically provides any test development machines, test tool licences, access to test execution environments and standard office facilities. When an engagement includes remote working in our UK offices or in our test centres in India, TVS will provide our test consultants/engineers with standard office/computing facilities and we will be clear on any tool licences and/or test hardware it is the customer s responsibility to provide. 9 TVS CONFIDENTIAL

7 Ordering and Invoicing Process TVS offers flexible commercial models to suit our customers needs. Typically our Security and Penetration Testing Services are offered on a Time and Materials (T&M) or Fixed Price basis depending on the nature of the work and customer preference. However we can also engage using commercial models based on Outcomes, Risk- Reward and so on where this is a customer s preference and suitable terms can be agreed. 7.1.1 Service Ordering If the application security or penetration testing work can be defined adequately, the commercial model may be T&M, Fixed Price or another model depending on customer preference. Where a Fixed Price is preferred but the work is not defined adequately, TVS can offer an initial T&M based scoping study to define the work. The customer then has the option of the work being done on a Fixed Price basis by TVS or an alternative supplier. Where a customer wants flexibility to change the scope of the Service during an engagement then T&M is often the best commercial model to adopt. To order a specific Application Security or Penetration Testing Service, the customer typically specifies the: Preferred commercial model Work to be carried out Deliverables required Engagement start date Desired engagement end date and any intermediate milestones. The customer will also need to provide supporting information necessary for TVS to derive a Fixed Price for the work if a Fixed Price commercial model is preferred. TVS will work with you to help you clarify your requirements and scope the Service. TVS will then provide a proposal for the Service, that will: Define our technical and managerial approach Incorporate a draft implementation plan with milestones and deliverables Identify key staff Identify any dependencies, assumptions and risks Provide a commercial offer to undertake the work. Formal acceptance of the proposal by the customer is indicated by raising a formal Order, using the Order Form provided in the G- Cloud Framework Agreement, and optionally a customer Purchase Order. This completes the ordering process. 7.1.2 Invoicing For services undertaken on a T&M basis, invoicing will be monthly in arrears with 30- day payment terms. For work undertaken on a Fixed Price basis, invoicing will be against achievement by TVS of agreed milestones, again with 30- day payment terms. For other commercial models, a suitable invoicing profile will be agreed; payment terms will remain at 30 days. 10 TVS CONFIDENTIAL

8 Termination Terms For termination for convenience by a customer, the notice period required by TVS will be agreed at the start of an engagement but typically will range from 5 working days for short- term engagements (3 months or less) to 30 working days for longer- term engagements. Upon termination, customers are required to pay TVS for all services completed up to the date of termination unless we can reassign our staff earlier. TVS will provide the customer with all outputs from work carried out up to the termination date, will return any property loaned by the customer and return or destroy, at the customer s request, any data provided by the customer. 11 TVS CONFIDENTIAL

9 About TVS TVS is an acknowledged leader in Testing and Verification. Founded in the 2008 to provide specialist test and verification services and products to organisations worldwide, TVS has grown consistently year- on year as a result of successfully helping its customers to improve their verification and testing processes, reduce their application design and development costs, shorten their development timescales and raise the quality of their applications. Headquartered in Bristol, TVS has opened offices in Germany, France, India (Bangalore and Chennai) and Singapore, enabling us to offer customers services where project costs and the availability of skills are important factors. TVS can run projects on a customer site or off- site and is helping organisations implement offshore verification and testing capabilities. USA - 2014 Germany - 2011 UK - 2008 Continuous geographical France - 2012 expansion China South Korea India - 2011 Singapore - 2014 2011-12 1.5M 2012-13 2.5M 2013-14 3.5M Consistent revenue growth 2014-15 4M+ TVS is able to deliver start- of- the- art solutions by keeping abreast of latest developments through attending, speaking at and organising industry conferences and events, and by contributing leading edge articles on test and verification methodologies and tools. As well as being represented on the committee of the BCS Special Interest in Software Testing Group, providing the current chair of BCS Bristol and the current chair of the High Tech group for the West of England Local Enterprise Partnership (LEP), TVS organises and hosts several of its own conferences and events each year, dedicated to both the software and hardware sectors. For the software testing community we regularly run our Intelligent Testing conference which focuses on improving the efficiency and effectiveness of software testing. You can find details of our events and conferences plus information on past conferences on our website www.testandverification.com/conferences/ To complement its comprehensive range of test and verification services, TVS has developed asuresign TM, a requirements- driven management and verification tool for managers, developers and integrators that ensures that application/product requirements have been successfully tested and implemented. 12 TVS CONFIDENTIAL

Using the latest in Requirements Driven Verification and Test (RDVT) methodologies, asuresign TM takes requirements engineering beyond the test definition of common requirements tracing practice by accumulating data on the status of verification and test metrics over the duration of a project and automatically relating these back to the specified requirements, leading to: Increased quality of the final product Reduced verification and test timescales Increased productivity of requirement, verification and test resources Improved project, requirements and verification management Enhanced compliance and audit documentation More information on asuresign TM can be found on our website www.testandverification.com/solutions/requirements/ At TVS we are proud of all our staff and the Leadership Team s track record in delivering world- class products and high- quality services to a diverse range of customers. Our customers include well- known names such as Intel, Panasonic, Fujitsu, Ericsson, ARM and Ultra Electronics but what really makes us particularly proud is that, having once engaged with us, many return time and time again. Why do organisations choose TVS? Because TVS s test and verification services and products deliver: Faster time- to- market Improved quality/reduced product risk Lower development costs Improved product features And TVS quickly becomes a Trusted Partner they can depend on. To find out more above TVS, our Services and Products, our Customer Case Studies, our Conferences or to contact us to discuss your requirements please visit our website www.testandverification.com 13 TVS CONFIDENTIAL

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information