G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service



Similar documents
G-Cloud IV Services Service Definition Accenture Cloud Security Services

G-Cloud III Services Service Definition Accenture Cloud Security Services

G-Cloud IV Services Service Definition Accenture Force.com Cloud Services

G-Cloud II Services Service Definition Accenture Cloud PaaS Implementation Services AWS Beanstalk

G-Cloud IV Services Service Definition Accenture Netsuite Cloud Services

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Strategies for assessing cloud security

Cisco Security Optimization Service

PCI DSS Top 10 Reports March 2011

Technology. Accenture Data Center Services

The power of collaboration: Accenture capabilities + Dell solutions

G-Cloud II Services Service Definition Accenture Cloud Infrastructure Implementation Services

G-Cloud III Services Service Definition Accenture Cloud Integration Services

Accenture Human Capital Services for SuccessFactors

G-Cloud IV Framework Service Definition Accenture Medical Imaging Managed Service (AMIMS)

G-Cloud II Services Service Definition Accenture Cloud SaaS Implementation Services Google Apps

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

DEVOPS: INNOVATIVE ENGINEERING PRACTICES FOR CONTINUOUS SOFTWARE DELIVERY

Preemptive security solutions for healthcare

Building the Digital HR Organization. Accenture and SuccessFactors on the changing nature of HR

50x Zettabytes*

IBM Security Privileged Identity Manager helps prevent insider threats

Accenture Cloud Platform Unlocks Agility and Control

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Duck Creek. On-Demand

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

IBM Rational AppScan: Application security and risk management

Procuring Penetration Testing Services

Accenture and Salesforce.com. Delivering enterprise cloud solutions that help accelerate business value and enable high performance

PCI DSS READINESS AND RESPONSE

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Application Security Center overview

Strengthen security with intelligent identity and access management

IT Security & Compliance. On Time. On Budget. On Demand.

Managed Services. The Future of Process Led Transformation has arrived. Insight Driven Value Chain Management. Execution Excellence

Safeguarding the cloud with IBM Dynamic Cloud Security

A NEW APPROACH TO CYBER SECURITY

Advanced Threat Protection with Dell SecureWorks Security Services

BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER

On Demand Penetration Testing Applications Networks Compliance.

Mapping and Geographic Information Systems Professional Services

Simply Sophisticated. Information Security and Compliance

Accenture cloud application migration services

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

G-Cloud IV Services Service Definition Accenture Managed Services for SaaS

Cloud Computing - Benefits and Barriers for Retail Adoption

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

Accelerating High Performance with Accenture Application Services for Java

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

10 Things Every Web Application Firewall Should Provide Share this ebook

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

How To Protect Your Cloud From Attack

Accenture & NetSuite

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Data Protection Act Guidance on the use of cloud computing

ALERT LOGIC FOR HIPAA COMPLIANCE

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

Accenture Life Sciences Cloud for Commercial Services

72% 41% THE MAJORITY OF BUSINESSES SAY THEY EXPECT TO PUT MORE THAN HALF OF THEIR WORKLOADS IN THE CLOUD BY 2017, UP FROM 58% TODAY.

NEC Managed Security Services

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Microsoft Services Premier Support. Security Services Catalogue

Accenture Technology Consulting. Clearing the Path for Business Growth

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Wealth and Asset Management Services Spotlight. Redefining the Wealth Management Client Onboarding Experience

Total Protection for Compliance: Unified IT Policy Auditing

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Cloud CRM. Scalable solutions for enterprise deployment

Solution brief. HP solutions for IT service management. Integration, automation, and the power of self-service IT

Security. Security consulting and Integration: Definition and Deliverables. Introduction

PCI Compliance for Cloud Applications

PARTNER PROGRAMME GUIDE

PCI DSS Reporting WHITEPAPER

HP Fortify Software Security Center

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

Are You Ready for PCI 3.1?

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Application Security in the Software Development Lifecycle

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

2014 HIMSS Analytics Cloud Survey

Security Services. 30 years of experience in IT business

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

IT Security Testing Services

Protecting Your Organisation from Targeted Cyber Intrusion

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

G-Cloud III Framework Service Definition Accenture Azure Cloud Services

IBM QRadar as a Service

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Transcription:

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service 1

Table of contents 1. Scope of our services... 3 2. Approach... 4 a. HealthCheck Application Scan... 4 b. Bronze Application Scan... 4 c. Silver Application Scan... 4 d. Gold Application Scan... 5 3. Assets and tools... 6 4. Expected Outcomes... 6 5. Pricing... 7 6. Contacts... 8 7. About Accenture... 8 2

1. Scope of our services This document describes Accenture s Web Application Security Scanning as a Service, and should be read in conjunction with the associated Government Cloud IV Services documentation. The service is provided through the Accenture Cloud Platform (ACP), providing enterprise-ready cloud services for clients. ACP is described in more detail within Accenture s IaaS Services. The Web Application Security Scanning as a Service is a real time, cloud-driven solution that inspects an application's security posture to discover vulnerabilities. The service helps clients to request an on-demand security review of their Internet-facing web applications at any point in the development, testing or production processes. Customers subscribe to a scanning package for specific applications, with each package consisting of security tests with selectable testing depth, frequency and results analysis. Our service assists customers through tasks ranging from running the application scans to understanding the vulnerabilities, as well as remediation options and implementation support. The service includes the following features: On-demand initiation of web application scanning for entire application portfolio, with scanning choices to match different risk levels and compliance requirements Best in class automated application security scanning, powered by Cenzic, an Enterprise class provider of Dynamic Application Security Testing products Accenture's Assisted scanning provides dedicated support for scan execution and reporting by skilled threat and vulnerability management practitioners Accenture's Advanced support option offers false positives removal as well as security strategy, architecture, planning and remediation assistance Regularly performing automated web application security assessments is considered an initial step towards an increased application security confidence. To complement this, Accenture offers a comprehensive set of one-off application and infrastructure security testing services Accenture s experience of delivering Security Services for clients globally has been streamlined into a recommended operating model called Threat and Vulnerability Management Capability. This TVM capability offers a complete spectrum of services that can be adapted to fit and build on the security maturity of any organisation. These optional services include: Vulnerability Scanning Security Reviews in the Software Delivery Lifecycle Source code analysis Penetration testing Configuration review Social Engineering 3

Furthermore, Accenture also provides a set of Managed Services that complement the Web Application Security as a Service Model, such as: Application Security Operations Security monitoring and reporting Infrastructure Security Management IT Risk and Compliance User and Identity Administration 2. Approach Accenture delivers TVM services based on a standardised, common method. This helps confirm efficiency, repeatability and solid delivery whether you want to implement or operate a Capability or run an independent assessment. Accenture s TVM assessments allow clients to configure a custom package depending on the required scope. Various engagement levels are available depending on the threat environment and risk profile of the assets to be tested. This service allows users to perform security vulnerability assessment scans against web applications. Each application requires its own subscription, which allows flexibility in the assessment depth and level of support provided. Accenture Cloud Platform (ACP) clients can select from several different options. Application Scans The cornerstone of the service is comprised of four types of subscriptions differentiated by the depth of testing and type of applications covered. Each subscription option provides services focusing on scan coverage, typical usage and the associated benefits. a. HealthCheck Application Scan The Healthcheck Application Scan helps the client to assess the security posture immediately and at no charge by checking for a limited number of application related vulnerabilities. This service should be leveraged as the initial step towards a stronger security posture with no capital investment required. The scan should be applied to all applications regardless of their business criticality or operational importance. b. Bronze Application Scan The Bronze Application Scan focuses purely on basic vulnerabilities most often exploited by hackers in relation to the running application. However, web server configuration vulnerability checks are limited with this service. The results will provide greater insight into website security posture and how much effort needs to be completed in order to improve web application security. The scan may be applied to every application regardless of its business criticality or operational importance. c. Silver Application Scan The Silver Application Scan is a more robust website test that finds the most common defects that lead to a data breach and brand damage and also focuses extensively on web server vulnerability checks. The result of a Silver Application Scan will provide more insight into web server configuration aspects as well as web application issues related to malicious file inclusions or unwanted data extractions. The scan should be applied for web applications with content that has been identified to increase value for the company. 4

d. Gold Application Scan The Gold Application Scan is a comprehensive service combining tests from both the Bronze Application and Silver Application Scan. Also, there are additional evaluations regarding input validation, credentials handling and transmission and checks to uncover potential areas for application data leakage. The results of the Gold Application Scan will provide a comprehensive information an automated scanning tool can deliver and will help the client to receive a final report in a PCI 6.6 or OWASP Top 10 2010 compliant reporting format. This is critical for clients where PCI or OWASP standard compliance is required. The Gold Application Scan as part of our scanning solution is on the list of officially approved PCI scanning approaches. The Gold scan should be applied for web applications with content that already has significant value for the company. Figure 1 Subscription applicability pyramid % of Vulnerabilities and Application tested Depicts the coverage/amount of vulnerability checks and extent to which the application is tested Risk Depicts the risk for the company if a particular application gets compromised Application Security Level Communicates that the more important the application is the more robust testing should be executed Assisted Standard Scanning The Assisted Standard Scan connects the client with an Accenture Security Practitioner who is part of the Accenture Threat & Vulnerability Management team for consuming the cloud-based security scanning service. The Accenture Security Practitioner will leverage the scanning portal to deliver the service on behalf of the client and will provide on-boarding support, scan execution and raw reporting. Additionally, the resource will be responsible for billing the client for labour hours following standard Accenture time reporting procedures. The scan is tailored to support clients that have an established skill set for remediation of identified vulnerabilities but are seeking assistance with on-boarding and execution to help them to focus on potential vulnerability mitigations. This support model will also increasingly save the client s time in scenarios where large quantities of applications are to be submitted and assessed. All operations on the scanning interface will be handled by the Accenture TVM Team. Assisted Advanced Scanning The Assisted Advanced Scan support model derives from the Assisted Standard Scan model and introduces additional features that further off-load components of the remediation process that would normally be the sole responsibility of the client. The scan provides additional support, specifically in the area of reporting. The Accenture TVM Team will assist the client to define remediation priorities, clear out false positive findings, and 5

provide remediation suggestions and a remediation roadmap. The scan is tailored to clients that seek support in the on-boarding, execution and remediation phases. Service Deliverables Depending on the support model selected, the following deliverables are provided: Raw scanning results Formatted executive summary with prioritised findings Detailed prioritised findings report Prioritised remediation recommendations Remediation roadmap 3. Assets and tools Accenture s accelerator assets and delivery methodologies around risk and threat analysis, vulnerability testing, penetration testing and vulnerability remediation management underpin this cloud based offering and bring the Accenture efficient delivery excellence to every project. Alongside these methods, the web application scanning tooling brings immediate potential benefit and security assurance from day one. Accenture s Threat & Vulnerability Management advisors focus on how to deliver the most precise results and provide valuable remediation feedback to the client to assist in increasing security confidence at any point in time. Accenture has integrated this cloud-based dynamic web application scanning solution into the Accenture Cloud Platform a cloud service broker platform to help decrease the time to client value for cloud services. 4. Expected Outcomes Security is undoubtedly one of the most important and discussed topics today. Web Application Security Scanning as a Service (WASSaaS) aims to improve confidence in web application security by providing a solution that: Requires low capital investment A cloud-based approach to the solution lowers the investment requirements. The pay-as-you-go model enables the use of WASSaaS on an ad-hoc basis or periodically in defined intervals without the need to host the scanning servers, maintain the datacentre space or maintain scanning solution updates. Provides commercial flexibility/custom scan requirements Client can tailor and consume their security scans via a self-service model. Each per application subscription can be different in order to comply with client needs and requirements. Eliminates client staffing needs No additional client-based resources are needed. Typically, for web application testing engagements the client will require skilled web application testers for scan execution and operations workforce to maintain and upgrade the scanning solution. Instead of constantly maintaining these resources, WASSaaS enables the client to stay focused on securing web applications. Provides scalability Scanning subscriptions offer four different levels with regards to the depth (number of checks) of scanning. This allows the client to select the appropriate subscription for the application to reflect the application s 6

business criticality and operational importance. Additionally, the client can use the Assisted Standard support model (See section 2.2) or the Assisted Advanced support model (See section 3.1) to engage with Accenture s Threat & Vulnerability Management (TVM) experts who can provide further scanning assistance and guidance. Offers compliance Accenture s WASSaaS solution can help organisations seeking PCI and OWASP compliance. For business critical applications where the most robust subscription is recommended, we are able to provide a PCI 6.6 and OWASP Top Ten 2010 compliant reports. The scanning engine in use is on the list of the PCI officially approved application scanners (See section 4.4). Example: A large telecommunications client lacked application security testing capabilities internally. No budget was available for a large application security program. Business challenges: - Requirement for testing internet facing applications, authenticated (including web and mobile applications) - Application Security testing is seen as a requirement following security issues, and a measure of the security is made internally by the compliance of applications to the OWASP standard - One application with PCI compliance requires PCI compliance scans - Advanced security testing (design review and penetration tests) to be performed on top of the standard Web Application Security Scanning as a Service security checks for the most critical applications Approach: - Selected the Cloud solution to perform scans, to benefit from low deployment and running costs - Generated vulnerability reports for technical teams, as well as standard and compliance reports for internal OWASP compliance and external PCI certification maintenance - The Accenture TVM team provided advanced reporting with False Positives removal as well as remediation assistance for the vulnerabilities reported Results - Client was able to get cost-effective point in time security results without a need for long negotiations, onboarding or contracting obstructions. - Client received list of suggested improvements giving ability to implement new controls and increase the security maturity of the solution in a meaningful and systematic way. - Client was able to get the assets re-tested as it was progressed with the remediation work for a fraction of the subscription price. This enabled actual view on whether the implemented controls successfully mitigated the particular vulnerability. 5. Pricing Please refer to the associated Pricing Document relevant for this Service. 7

6. Contacts Simon Mitchell (Accenture Health & Public Services Sales Lead) Email: sales.support.uk@accenture.com Telephone: ++44 7702 234537 Daniel W. Mellen (Offering Development Lead, Accenture Cloud Services Security) Email: Daniel.w.mellen@accenture.com Telephone: +1 703 598 4316 7. About Accenture Accenture is a global management consulting, technology services and outsourcing company, with approximately 269,000 people serving clients in more than 120 countries. Combining excellent experience, comprehensive capabilities across all industries and business functions, and extensive research on the world s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$27.9 billion for the fiscal year ended Aug. 31, 2012. We have five industry-focused Operating Groups (OGs) including Health & Public Service, Communications Media & Technology, Financial Services, Products and Resources and these are supported by three Growth Platforms: Management Consulting, Technology and Outsourcing. 8

Copyright 2013 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Copyright 2012 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information