Security Testing and Vulnerability Management Process. e-governance

Similar documents
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Passing PCI Compliance How to Address the Application Security Mandates

8070.S000 Application Security

Web Engineering Web Application Security Issues

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Web application security: automated scanning versus manual penetration testing.

Application Code Development Standards

Patch Management Procedure. e-governance

Network Security Audit. Vulnerability Assessment (VA)

Thick Client Application Security

Reducing Application Vulnerabilities by Security Engineering

white SECURITY TESTING WHITE PAPER

Web Application Report

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

locuz.com Professional Services Security Audit Services

Learning objectives for today s session

Third Party Security Guidelines. e-governance

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Web App Security Audit Services

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

05.0 Application Development

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Information Security Office

Strategic Information Security. Attacking and Defending Web Services

External Supplier Control Requirements

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WHITEPAPER. Nessus Exploit Integration

Pentests more than just using the proper tools

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Overview of the Penetration Test Implementation and Service. Peter Kanters

Columbia University Web Security Standards and Practices. Objective and Scope

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

The Top Web Application Attacks: Are you vulnerable?

Penetration Testing. Presented by

STATE OF NEW JERSEY IT CIRCULAR

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Security Testing & Load Testing for Online Document Management system

Vulnerability Scanning & Management

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Pentests more than just using the proper tools

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Network Test Labs (NTL) Software Testing Services for igaming

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Secure Code Development

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Cloud Security:Threats & Mitgations

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Web Application Penetration Testing

Adobe Systems Incorporated

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Web Application Security

The Value of Vulnerability Management*

Four Top Emagined Security Services

Application Security Best Practices. Wally LEE Principal Consultant

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

How to Build a Trusted Application. John Dickson, CISSP

Final Audit Report -- CAUTION --

Secure Web Applications. The front line defense

Infrastructure Information Security Assurance (ISA) Process

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Patch and Vulnerability Management Program

Using Free Tools To Test Web Application Security

Remote Access Procedure. e-governance

Enterprise Application Security Program

Performing a Web Application Security Assessment

WEB APPLICATION VULNERABILITY STATISTICS (2013)

WebGoat for testing your Application Security tools

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Virtualization System Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Vulnerability Management

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Penetration Test Report

THE TOP 4 CONTROLS.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Transcription:

Security Testing and Vulnerability Management Process for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

Document Control S/L Type of Information Document Data 1. Document Title 2. Document Code 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver E-mail ID Document Change History Version Revision Date Nature of Change Date of Approval No. For Internal Use Only Page 2 of 11

Tablle off Conttentts 1. INTRODUCTION... 4 2. SCOPE... 4 3. PURPOSE... 4 4. PENETRATION TESTING... 5 5. PENETRATION TESTING PROCESS... 6 6. VULNERABILITY MANAGEMENT PROCESS... 7 5.1 FREQUENCY...7 5.2 METHODOLOGY...7 Phase-1: Scoping and Communication... 8 Phase-2: Vulnerability Scanning... 8 Phase 3: Extraction of Reports... 9 Phase 4: Removal of False Positives... 9 Phase 5: Final Report Generation... 9 Phase 6: Tracking Closure of Vulnerabilities... 9 Roles and Responsibilities Matrix for Vulnerability Assessment... 10 7. ANNEXURE... 11 For Internal Use Only Page 3 of 11

1. INTRODUCTION Security Testing and Vulnerability management encompasses measures taken to review the output from the application from the perspective of application security. The review of the outputs from penetration testing is done in alignment with the updates and recommendation from OWASP (Open Web Application Security Project) as well as WASC (Web Application Security Consortium). The review is also done in compliance with the e- Gov Security Policy. Vulnerability is a flaw or weakness in the design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with the systems. A vulnerability assessment exercise identifies and categorizes all declared vulnerabilities but doesn t permits exploits, whereas penetration testing allows for exploitation of all vulnerabilities found by assessors. 2. SCOPE This process is applicable for all hosted applications in datacenters across all locations where information of e-gov service delivery is processed and/or stored within the application. 3. PURPOSE The objective of creating the vulnerability assessment process is to christen a formal methodology document for conducting vulnerability assessment critical systems; thereby pro-actively discovering to what extent the security of Information systems is threatened by attacks and whether the security measures in place are currently capable of ensuring Information security. This process will address the vulnerabilities before they can be exploited to compromise company resources. The process will end up providing For Internal Use Only Page 4 of 11

recommendations for closure of identified vulnerabilities and minimizing loss of confidentiality, integrity and availability of data. 4. PENETRATION TESTING Penetration testing primarily targets the application security mechanisms (e.g., cryptography, data validation, and authentication) implemented in the identified application. The attacks that are tried out during the testing includes OWASP Top 10 vulnerabilities: as well: o Un-validated Input o Broken Access Control o Broken Authentication and Session Management o Cross Site Scripting (XSS) Flaws o Buffer Overflows o Injection Flaws o Improper Error Handling o Insecure Storage o Denial of Service o Insecure Configuration Management On identification of vulnerabilities are reported and prioritized on the basis of impact and likelihood. A timeline is defined by the application Owner for closure of each of the vulnerabilities identified. In case of the remediation being infeasible the risks should be minimized and the residual risks should be documented over email with a sign off. For Internal Use Only Page 5 of 11

Example: IBM Rational Appscan tool is used for automated penetration testing. Vulnerabilities so found are reviewed manually before publishing the report and sharing with Application owner. Thick client application penetration testing is carried out manually. 5. PENETRATION TESTING PROCESS Penetration testing is to be carried out by any STQC empanelled auditor. In this document we shall be referring to the same as PT (Penetration testing) team. Penetration testing Application CISO PT team Owner Start PT team asks or detail of Pre-prod and test environments Preprod/ Test environ ment Perform port scanning of application Manually validate test findings Generate and share report with App owner PT Report Validate the evidences to confirm fix of vulnerabilities Fix the vulnerabilities and share the evidences with PT Team Stop PT Report Reviews PT report and seeks clarification from PT team if required. a. PT team asks for the details required to initiate the penetration testing. The details include: o Application URL in pre-prod/test environment o Minimum two user credentials (1 administrative level access, 1 normal user) o Any sensitive URLs that are out of scope b. Application Owner ensures that application is stable enough and all the functionalities are working. For Internal Use Only Page 6 of 11

c. PT team requires at least 3-4 days for completing penetration testing. d. Port scan is carried out on pre production environment. The findings reported by tool are documented in the final Penetration Testing report which is shared with Application Owner. Automated Penetration Testing is carried out on the application. On completion of the automated testing, manual validation of vulnerabilities is carried out. e. Report is created for the vulnerabilities found and shared with Application Owner. The vulnerabilities are classified and rated High, Medium and Low according to their severity. Severity is categorized based on impact, likelihood and results of tool output. Refer annexure for PT Report template. f. Security gaps are worked on by the concerned team and necessary changes are incorporated to secure the application/environment. g. Application team shares evidence supporting closure, h. PT team then reviews the response and close the observations based on the evidence shared by Application team. If any discrepancy is observed, PT team gets back to Application team to seek clarifications. i. Final Closures are to be approved by CISO. 6. VULNERABILITY MANAGEMENT PROCESS 5.1 FREQUENCY The frequency for Vulnerability assessment cycle is annually. The full cycle covers end to end process staring from Scoping of devices to the closure tracker on scanned devices. 5.2 METHODOLOGY Following diagram depicts the methodology for Vulnerability Management. For Internal Use Only Page 7 of 11

Phase-1: Scoping and Communication The scoping and communication phase of vulnerability management comprise the following: Approved list of selected devices for which vulnerability assessment is to be carried out; Approved vulnerability assessment end to end plan Suitable dates for carrying out vulnerability assessment; Time slots for vulnerability assessment; and Communication of final dates and time slots to all stakeholders. Phase-2: Vulnerability Scanning In this phase an attempt is made to determine the existence of known vulnerabilities and to discover if any weak configuration settings are in use/set for the internal systems/devices. This is accomplished by using a tool based vulnerability scanning method. For Internal Use Only Page 8 of 11

Phase 3: Extraction of Reports In this phase, the team conducting vulnerability assessment collects the output of vulnerability assessment from all relevant remote VA servers and extracts individual vulnerability data items. The information provided by vulnerability assessment about the target host includes, but not limited to the following. OS version, open ports, active services, Protocol etc. Vulnerabilities and rating of vulnerabilities risk Remediation steps Phase 4: Removal of False Positives The objective of this phase shall be to weed out any false positives appearing in the output of VA tools. These false positives may involve: Wrong reporting for existence of a vulnerability that may not be applicable to the target environment / host Highlighting a configuration setting that is required for business purpose and the risk is acceptable or is mitigated by other measures Reporting a service/open port which is actually not running/open The execution of this phase may involve the need to have administrative privileges on the system/device under VA scope. Phase 5: Final Report Generation In this phase, the output of VA tools is used to formulate a management report for presenting to the key management representatives. This report presents an overall summary of VA findings and also consists of the detailed vulnerability observations. Refer Annexure for VA report template. Phase 6: Tracking Closure of Vulnerabilities Tracking the closure of identified vulnerabilities plays a very important role in the vulnerability management process. Once the report containing a final set of vulnerabilities is generated and For Internal Use Only Page 9 of 11

handed over to CISO; closure tracking needs to be done so that every critical-vulnerability is patched, remediation steps are followed and operating systems are hardened. Roles and Responsibilities Matrix for Vulnerability Assessment The roles and responsibilities matrix for accomplishing the tasks for conducting vulnerability management is given hereunder: Role Team lead- Data center Operations Team Member- VA Infra and Operations Team Composite Team- Security Responsibility Team lead - VA has the overall responsibility for ensuring that VA objectives are met. Responsibilities include: Maintaining VA measurements for reporting Ensuring proper implementation of Vulnerability Management Process Analyze trends and compliance thresholds Establish thresholds and exception (alerts) reporting procedures Implement approved VA process changes according to requirements Managing the VA Team resources Creation of VA Cycle Audit Plan Ensuring availability of all resources (people and technical) before every VA cycle Team member - VA has responsibility for providing support to the Team lead for VA activities. Specific responsibilities include: Provide technical support and advise to address VA gaps closure issues Performing VA Audit on selected devices as per the plan Create management report on the basis of VA report and take sign-off on the same from relevant business representatives Advise the VA Team Lead of any required system configuration or modifications to meet VA objectives Provide Sign-Off on the Audit Plan Implement recommendations in the VA report as per set schedule Identify false positives from the tool report Raise change management requests for implementing patches / vulnerability closure recommendations Submit closure status to Composite team - Security on a weekly basis Provide the approved breakup plan for annual phases of vulnerability audits Drive closure for identification of target devices For Internal Use Only Page 10 of 11

CISO Role Responsibility Track the closure of vulnerabilities found as per required frequency Provide feedback for improvisation of VA process Provide Sign-Off on the Management Report Provide management support to achieve set objectives for the success of VM process 7. ANNEXURE PT report.xlsx VA report.xlsx PT Indemnity Agreement.doc For Internal Use Only Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information