Info Security
From UG
(→Requirements) |
|||
Line 51: | Line 51: | ||
- Perry will evaluate potential vendors and obtain quotes. | - Perry will evaluate potential vendors and obtain quotes. | ||
+ | --[update 02/16/2012] - Awaiting response from second vendor Plynt. | ||
- Project will be presented to CT2 Board on 2/27/2012 | - Project will be presented to CT2 Board on 2/27/2012 | ||
Revision as of 20:07, 16 February 2012
Info
- parent mantis: 0003451: [Info Security] .... parent
- mantis category: Info Security
- Analyst: Perry
Requirements
Web Application Penetration Testing
Perry has engaged Nettitude (initial meeting on 2/15/2012 @ 3:00PM) to provide an initial quote to execute a Grey Box ethical hack against CyberTrax Client Application. We expect an initial assesment and quote from Nettitude by Friday 2/17/2012. Nettitude is one of just a handful of CREST (Council of Registered Ethical Security Testers) certified member companies.
Vendor Contact:
Paul Dunlop
Account Executive
Nettitude Inc
D 212-634-6363 Ext.2644
C 917.704.5699
E pdunlop@nettitude.com
www.us.nettitude.com
Test Requirements:
1) Nettitude will perform targetted Grey Box testing of our Production CyberTrax system. Rather than simple brute force Black Box testing where they identify vulnerabilities pre-authentication, we have asked they test for vulnerabilities post-authentication. They will test for common vulerabilities (SQL injection, XSS, Parameter manipulation, etc..) as well as data accessibility issues (role/client accessibility).
2) If this project is initiated, we will provide login credentials to Nettitude along with a walk-through of our application. I suggest we setup a test client with obfuscated data for Nettitude to use for their tests. Either way, Nettitude will sign a Non-Disclosure Agreement with Jaguar to protect our client confidentiality in the event they are able to gain access to live client data.
3) Since our Production system is hosted in a different data center than Staging, we will gain the most benefit if Nettitude executes the test against our Production system. They have flexible testing windows so we can request they test during off-hours to minimize impact to BAU (Business As Usual) operations. Also, since they will be testing in a live system, we had requested that they employ non-intrusive techniques to minimize impact to our system.
4) Nettitude will provide a preliminary report after they complete the first round of tests. They will partner with Jaguar and provide recommendations on how to best remediate any findings. Once findings are remediated, Nettitude can either execute another full test or a targeted test to verify that the vulnerabilities are indeed addressed. Once a final report is published, then our engagement with Nettitude will officially close.
Sample Report and additional information about Nettitude can be found in:
http://ct.jaguarfreight.com/mantis/view.php?id=3453
www.us.nettitude.com
Action Plan:
- Perry will evaluate potential vendors and obtain quotes.
--[update 02/16/2012] - Awaiting response from second vendor Plynt. - Project will be presented to CT2 Board on 2/27/2012
- Ideally, Jaguar should perform annual vulnerability assessments of CyberTrax.