Info Security

From UG

(Difference between revisions)
Jump to: navigation, search
(Info)
(Requirements)
 
(5 intermediate revisions not shown)
Line 8: Line 8:
== Requirements ==
== Requirements ==
 +
'''Web Application Penetration Testing '''
 +
 +
Perry has engaged Nettitude (initial meeting on 2/15/2012 @ 3:00PM) to provide an initial quote to execute a Grey Box ethical hack against CyberTrax Client Application. We expect an initial assesment and quote from Nettitude by Friday 2/17/2012. Nettitude is one of just a handful of CREST (Council of Registered Ethical Security Testers) certified member companies.
 +
 +
Vendor Contact:
 +
 +
Paul Dunlop
 +
 +
Account Executive
 +
 +
Nettitude Inc
 +
 +
 
 +
D  212-634-6363 Ext.2644
 +
 +
C  917.704.5699
 +
 +
E  pdunlop@nettitude.com
 +
 +
www.us.nettitude.com
 +
 +
 +
'''Test Requirements:'''
 +
 +
1) Nettitude will perform targetted Grey Box testing of our Production CyberTrax system. Rather than simple brute force Black Box testing where they identify vulnerabilities pre-authentication, we have asked they test for vulnerabilities post-authentication. They will test for common vulerabilities (SQL injection, XSS, Parameter manipulation, etc..) as well as data accessibility issues (role/client accessibility).
 +
 +
2) If this project is initiated, we will provide login credentials to Nettitude along with a walk-through of our application. I suggest we setup a test client with obfuscated data for Nettitude to use for their tests. Either way, Nettitude will sign a Non-Disclosure Agreement with Jaguar to protect our client confidentiality in the event they are able to gain access to live client data.
 +
 +
3) Since our Production system is hosted in a different data center than Staging, we will gain the most benefit if Nettitude executes the test against our Production system. They have flexible testing windows so we can request they test during off-hours to minimize impact to BAU (Business As Usual) operations. Also, since they will be testing in a live system, we had requested that they employ non-intrusive techniques to minimize impact to our system.
 +
 +
4) Nettitude will provide a preliminary report after they complete the first round of tests. They will partner with Jaguar and provide recommendations on how to best remediate any findings. Once findings are remediated, Nettitude can either execute another full test or a targeted test to verify that the vulnerabilities are indeed addressed. Once a final report is published, then our engagement with Nettitude will officially close.
 +
 +
 +
Sample Report and additional information about Nettitude can be found in:
 +
 +
http://ct.jaguarfreight.com/mantis/view.php?id=3453
 +
 +
www.us.nettitude.com
 +
 +
Action Plan:
 +
 +
- Perry will evaluate potential vendors and obtain quotes.
 +
 +
--[update 02/16/2012] - Awaiting response from second vendor Plynt.
 +
 +
- Project will be presented to CT2 Board on 2/27/2012
 +
 +
- Ideally, Jaguar should perform annual vulnerability assessments of CyberTrax.
== SOW 1 ==
== SOW 1 ==

Current revision as of 20:08, 16 February 2012


[edit] Info

  • parent mantis: 0003451: [Info Security] .... parent
  • mantis category: Info Security
  • Analyst: Perry

[edit] Requirements

Web Application Penetration Testing

Perry has engaged Nettitude (initial meeting on 2/15/2012 @ 3:00PM) to provide an initial quote to execute a Grey Box ethical hack against CyberTrax Client Application. We expect an initial assesment and quote from Nettitude by Friday 2/17/2012. Nettitude is one of just a handful of CREST (Council of Registered Ethical Security Testers) certified member companies.

Vendor Contact:

Paul Dunlop

Account Executive

Nettitude Inc


D 212-634-6363 Ext.2644

C 917.704.5699

E pdunlop@nettitude.com

www.us.nettitude.com


Test Requirements:

1) Nettitude will perform targetted Grey Box testing of our Production CyberTrax system. Rather than simple brute force Black Box testing where they identify vulnerabilities pre-authentication, we have asked they test for vulnerabilities post-authentication. They will test for common vulerabilities (SQL injection, XSS, Parameter manipulation, etc..) as well as data accessibility issues (role/client accessibility).

2) If this project is initiated, we will provide login credentials to Nettitude along with a walk-through of our application. I suggest we setup a test client with obfuscated data for Nettitude to use for their tests. Either way, Nettitude will sign a Non-Disclosure Agreement with Jaguar to protect our client confidentiality in the event they are able to gain access to live client data.

3) Since our Production system is hosted in a different data center than Staging, we will gain the most benefit if Nettitude executes the test against our Production system. They have flexible testing windows so we can request they test during off-hours to minimize impact to BAU (Business As Usual) operations. Also, since they will be testing in a live system, we had requested that they employ non-intrusive techniques to minimize impact to our system.

4) Nettitude will provide a preliminary report after they complete the first round of tests. They will partner with Jaguar and provide recommendations on how to best remediate any findings. Once findings are remediated, Nettitude can either execute another full test or a targeted test to verify that the vulnerabilities are indeed addressed. Once a final report is published, then our engagement with Nettitude will officially close.


Sample Report and additional information about Nettitude can be found in:

http://ct.jaguarfreight.com/mantis/view.php?id=3453

www.us.nettitude.com

Action Plan:

- Perry will evaluate potential vendors and obtain quotes.

--[update 02/16/2012] - Awaiting response from second vendor Plynt.

- Project will be presented to CT2 Board on 2/27/2012

- Ideally, Jaguar should perform annual vulnerability assessments of CyberTrax.

[edit] SOW 1

Personal tools