Info Security

From UG

(Difference between revisions)
Jump to: navigation, search
(Requirements)
Line 9: Line 9:
== Requirements ==
== Requirements ==
'''Web Application Penetration Testing '''
'''Web Application Penetration Testing '''
 +
Perry has engaged Nettitude (initial meeting on 2/15/2012 @ 3:00PM) to provide an initial quote to execute a Grey Box ethical hack against CyberTrax Client Application. We expect an initial assesment and quote from Nettitude by Friday 2/17/2012.
Perry has engaged Nettitude (initial meeting on 2/15/2012 @ 3:00PM) to provide an initial quote to execute a Grey Box ethical hack against CyberTrax Client Application. We expect an initial assesment and quote from Nettitude by Friday 2/17/2012.
Vendor Contact:  
Vendor Contact:  
 +
Paul Dunlop
Paul Dunlop
 +
Account Executive
Account Executive
 +
Nettitude Inc
Nettitude Inc
 +
    
    
D  212-634-6363 Ext.2644
D  212-634-6363 Ext.2644
 +
C  917.704.5699
C  917.704.5699
 +
E  pdunlop@nettitude.com  
E  pdunlop@nettitude.com  
 +
www.us.nettitude.com
www.us.nettitude.com
-
Test Requirements:  
+
 
 +
'''Test Requirements:'''
1) Nettitude will perform targetted Grey Box testing of our Production CyberTrax system. Rather than simple brute force Black Box testing where they identify vulnerabilities pre-authentication, we have asked they test for vulnerabilities post-authentication. They will test for common vulerabilities (SQL injection, XSS, Parameter manipulation, etc..) as well as data accessibility issues (role/client accessibility).  
1) Nettitude will perform targetted Grey Box testing of our Production CyberTrax system. Rather than simple brute force Black Box testing where they identify vulnerabilities pre-authentication, we have asked they test for vulnerabilities post-authentication. They will test for common vulerabilities (SQL injection, XSS, Parameter manipulation, etc..) as well as data accessibility issues (role/client accessibility).  
Line 33: Line 42:
Sample Report and additional information about Nettitude can be found in:  
Sample Report and additional information about Nettitude can be found in:  
-
 
http://ct.jaguarfreight.com/mantis/view.php?id=3453
http://ct.jaguarfreight.com/mantis/view.php?id=3453
-
 
www.us.nettitude.com
www.us.nettitude.com
Action Plan:
Action Plan:
 +
- Perry will evaluate potential vendors and obtain quotes.  
- Perry will evaluate potential vendors and obtain quotes.  
 +
- Project will be presented to CT2 Board on 2/27/2012
- Project will be presented to CT2 Board on 2/27/2012
== SOW 1 ==
== SOW 1 ==

Revision as of 19:28, 16 February 2012


Info

  • parent mantis: 0003451: [Info Security] .... parent
  • mantis category: Info Security
  • Analyst: Perry

Requirements

Web Application Penetration Testing

Perry has engaged Nettitude (initial meeting on 2/15/2012 @ 3:00PM) to provide an initial quote to execute a Grey Box ethical hack against CyberTrax Client Application. We expect an initial assesment and quote from Nettitude by Friday 2/17/2012.

Vendor Contact:

Paul Dunlop

Account Executive

Nettitude Inc


D 212-634-6363 Ext.2644

C 917.704.5699

E pdunlop@nettitude.com

www.us.nettitude.com


Test Requirements:

1) Nettitude will perform targetted Grey Box testing of our Production CyberTrax system. Rather than simple brute force Black Box testing where they identify vulnerabilities pre-authentication, we have asked they test for vulnerabilities post-authentication. They will test for common vulerabilities (SQL injection, XSS, Parameter manipulation, etc..) as well as data accessibility issues (role/client accessibility).

2) If this project is initiated, we will provide login credentials to Nettitude along with a walk-through of our application. I suggest we setup a test client with obfuscated data for Nettitude to use for their tests. Either way, Nettitude will sign a Non-Disclosure Agreement with Jaguar to protect our client confidentiality in the event they are able to gain access to live client data.

3) Since our Production system is hosted in a different data center than Staging, we will gain the most benefit if Nettitude executes the test against our Production system. They have flexible testing windows so we can request they test during off-hours to minimize impact to BAU (Business As Usual) operations. Also, since they will be testing in a live system, we had requested that they employ non-intrusive techniques to minimize impact to our system.

4) Nettitude will provide a preliminary report after they complete the first round of tests. They will partner with Jaguar and provide recommendations on how to best remediate any findings. Once findings are remediated, Nettitude can either execute another full test or a targeted test to verify that the vulnerabilities are indeed addressed. Once a final report is published, then our engagement with Nettitude will officially close.


Sample Report and additional information about Nettitude can be found in: http://ct.jaguarfreight.com/mantis/view.php?id=3453 www.us.nettitude.com

Action Plan:

- Perry will evaluate potential vendors and obtain quotes.

- Project will be presented to CT2 Board on 2/27/2012

SOW 1

Personal tools