SANS Institute Security Consensus Operational Readiness Evaluation
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Interested in learning more
about application security?
SANS Institute
Security Consensus Operational Readiness Evaluation
This checklist is from the SCORE Checklist Project. Reposting is not permited without express, written permission.
ASP Checklist
Copyright SANS Institute
Author Retains Full RightsSmall Business Checklist for
Evaluating an ASP
Step Reason Tools/References
1. Review information Provides background for
on application. All evaluating function of
printed materials, app for business.
sales documents,
and contact
information.
2. Summarize what the Provides summary for
application will be evaluation/report to
used for, how it will management. Basis for
be used, and by rating the criticality of the
whom. Specify data at the ASP.
what information
the ASP holds.
3. Contact the Written permission for
application testing is absolutely
developer or necessary. Be prepared
company to outline which tools you
representative to will be using—and what
establish testing their effect on the
boundaries and get application may be.
written permission
for testing from
them before any
actual testing is
done.
3a. If possible, get a
separate admin and
user account strictly
to use for testing.
3b. Ask for any policies Open ended questions
related to server can provide a good
patching-who foundation for an
watches for new evaluation
vulnerabilities in this
company.
3c. Ask for policies Length, pw history,
related to passwords complexity-how does
their application handle
passwords?
3d. Ask for any third Have they been
party security evaluated/certified by an
certification outside company?
documentation and
reports.
REV 1.1 August 20033e. Ask for general How is their application
information about structured? Web server
firewall/perimeter in a DMZ/ db server on a
protection. trusted net? Or
everything on one box?
Are other websites hosted
on the same server?
3f. Ask for general Do they use an http://www.owasp.org/development/codeseeker
information about application level firewall?
application level
protection.
3g. Ask about Will you be able to glean
logging/auditing of information from these
application-do they logs in the case of a
log IP info, security incident?
username/pw info,
time of day
information. How
long are logs kept?
3h. Explain in detail the Inform them well so that
process uses to when you are testing… it
evaluate an may be a good idea to list
application/server. your tools if they seem
reluctant or hesitant.
3i. Determine the level Do they have a
of QA and code process/personnel for QA
review. testing and code review-
is it the people who are
responsible for
developing the code?
3j. Ask about insurance Do they carry “cyber
coverage. insurance” that would
provide coverage for
security related events?
3k. Ask what their Do they encrypt all data http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-
process is in regards in all databases? If you 1400/sb_1386_bill_20020926_chaptered.html
to California Law SB have customer
1386. identifiable information
and have California
customers, what would
be the ASP’s process for
notification? Are they
prepared to assist with
notifications?
3l. Confirm the web- Verify this in the testing
server OS and phase.
server
software/version.
REV 1.1 August 20033m Ask for any Open ended questions –
. additional let them talk about their
information that the application and network
developer or environment.
company
representative may
provide that would
be helpful in
evaluating the
application
4 Review provided Create an application
documentation to specific checklist from the
establish auditable information provided to
items. you.
5. Web Server FQDN Identify the specific -NSLookup (online tool)
and IP Address server you’ll be testing. http://network-tools.com/nslook/
-WHOIS information
http://www.networksolutions.com/cgi-bin/whois/whois
6. Network testing— See what is open to the -GFI LANscanner
port scan Internet—is it just ports http://www.gfi.com/lannetscan/
80 and 443? (HTTP and
HTTPS) What else is -nMap
open? http://www.insecure.org/nmap
-nMapWIN
http://mypage.bluewin.ch/vogje01/e/nmapwin/index.ht
ml
7. Site Map Will enable you to -Achilles
view/search source code http://www.mavensecurity.com/achilles
for sensitive information:
• hidden -Black Widow
•9. Authentication and Is SSL configured Use “What’s that SSL site running?” on Netcraft
encryption correctly-is it user
friendly? CTR-I using Netscape browser will provide encryption
info
List certificate related
browser warning, if any.
Any pages containing a
mix of
encrypted/plaintext data?
Document all SSL ciphers
allowed by site.
10. Sign-on Issues Friendly error messages? Webcracker 4.0
Can accounts be brute- http://packetstormsecurity.nl/Crackers/indexsize.shtml
force attacked?
Can passwords be
harvested?
11. Session-level Issues Does the site allow
concurrency?
How long is the inactivity
timeout?
12. Other security Nikto performs a NIKTO http://www.cirt.net/code/nikto.shtml
issues- this step comprehensive, fairly
MAY be optional obvious scan-if you want
because of the to use Nikto on the ASP
nature of the tool. site, MAKE SURE you
describe your process
and the tool in detail to
the people responsible for
the site.
13. Transaction-level- Where are hidden form Odysseus
from mirrored site elements used? Does http://www.wastelands.gen.nz/index.php?page=odysse
info manipulating them us
adversely affect the
server?
Document any server-
generated error visible to
a remote user.
Where are GETS used for
user input?
REV 1.1 August 2003Last Updated: November 13th, 2021
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Paris November 2021 Paris, FR Nov 15, 2021 - Nov 20, 2021 Live Event
SANS Pen Test HackFest Summit & Training 2021 - Bethesda, Bethesda, MDUS Nov 15, 2021 - Nov 22, 2021 Live Event
MD
SANS Amsterdam November 2021 Amsterdam, NL Nov 22, 2021 - Nov 27, 2021 Live Event
SANS Nashville 2021 Nashville, TNUS Nov 29, 2021 - Dec 04, 2021 Live Event
SANS San Francisco 2021 San Francisco, CAUS Nov 29, 2021 - Dec 04, 2021 Live Event
SANS Austin 2021 Austin, TXUS Dec 06, 2021 - Dec 11, 2021 Live Event
SANS London December 2021 London, GB Dec 06, 2021 - Dec 11, 2021 Live Event
SANS Frankfurt December 2021 Frankfurt, DE Dec 13, 2021 - Dec 18, 2021 Live Event
SANS Cyber Defense Initiative 2021 Washington, DCUS Dec 13, 2021 - Dec 18, 2021 Live Event
SANS SEC504 Helsinki December 2021 Helsinki, FI Dec 13, 2021 - Dec 18, 2021 Live Event
SANS Bahrain December 2021 Manama, BH Dec 18, 2021 - Dec 23, 2021 Live Event
SANS Threat Hunting London 2022 London, GB Jan 10, 2022 - Jan 15, 2022 Live Event
InterfACE Denver Januay 2022 Denver, COUS Jan 12, 2022 - Jan 12, 2022 Live Event
SANS Amsterdam January 2022 Amsterdam, NL Jan 24, 2022 - Jan 29, 2022 Live Event
Cyber Threat Intelligence Summit & Training 2022 Bethesda, MDUS Jan 27, 2022 - Feb 05, 2022 Live Event
SANS Paris January 2022 Paris, FR Jan 31, 2022 - Feb 05, 2022 Live Event
SANS London February 2022 London, GB Feb 07, 2022 - Feb 12, 2022 Live Event
SANS San Diego 2022 San Diego, CAUS Feb 07, 2022 - Feb 12, 2022 Live Event
SANS Dubai February 2022 Dubai, AE Feb 12, 2022 - Feb 17, 2022 Live Event
SANS November Singapore 2021 OnlineSG Nov 15, 2021 - Nov 20, 2021 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self PacedYou can also read
