Web Application Security Assessment
Service Overview ⫘
Secureworks will conduct a Web Application Security Assessment for one (1) web application, which includes analyzing the state of the application to identify vulnerabilities and delivering a final report to you. Secureworks will use its methodology that is based on industry frameworks for application testing, which includes the Open Web Application Security Project (OWASP) Testing Guide, Open Source Security Testing Methodology Manual (OSSTMM), vendor-specific security documents, and the experience of Secureworks team members.
Service Methodology ⫘
Secureworks will schedule an initial meeting to establish rules of engagement, level of effort, scope, risk acceptance, reporting requirements, testing timelines, and schedules.
The assessment will be conducted as follows:
Automated Testing:
For reconnaissance and application mapping, automated tools are used to quickly enumerate and map the application, performing otherwise labor-intensive activities. These tools detect configuration issues, known vulnerabilities, and general errors in web applications. After initial scans are completed, Secureworks will manually analyze and validate the results to eliminate false positives, and to detect any notable patterns that emerge in the findings. Automated testing reveals potential vulnerabilities, to include known injection flaws, error handling issues, known configuration issues, known platform and codebase vulnerabilities, and backup files stored on production systems.
Manual Testing:
Secureworks performs manual testing against the application for additional vulnerability examination, and to perform any exploits against the vulnerabilities. Manual testing includes reviewing access controls, manipulating variables (e.g., cookie tampering), testing business logic, and connecting minor low-severity vulnerabilities together to create high-severity exploits. Manual testing includes exploring the following well-known categories of vulnerabilities: Open Web Application Security Project (OWASP) Top 10 and Previous OWASP Vulnerabilities.
Manual testing includes checks for at least the following categories of vulnerabilities:
OWASP Top 10:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- Extensible Markup Language ("XML") External Entities ("XXE")
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting ("XSS")
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Previous OWASP Vulnerabilities:
- Malicious File Execution
- Information Leakage and Improper Error Handling
- Unvalidated Input
- Buffer Overflow
- Failure to Restrict URL Access
- Insecure Cryptographic Storage
- Insufficient Transport Layer Protection
- Session Management
- Insecure Direct Object References
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSFR)
- Unvalidated Redirects and Forwards
Remediation Validation:
Secureworks will conduct one remediation validation (RV) for only the high- and critical-severity findings listed in the final report. After the final report is delivered, you have 90 days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. You must submit the RV request through email to the Secureworks point of contact for the Web Service Test within thirty (30) days of delivery of the final report or the RV is forfeited. Secureworks will issue a brief report summarizing the results of the RV, which will include information about whether you successfully remediated the issues.
Note: Secureworks only conducts RVs remotely, regardless of whether the Web Service Test was conducted on-site.
Outcome ⫘
Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report may contain the following:
- Executive summary
- Methods, detailed findings, narratives, and recommendations if any
- Attachments as needed for relevant details and supporting data
Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before expiration of the review period, the report will be deemed final.
Upon completion of the Service, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by Customer-designated contact, within five (5) business days of such email confirmation, the Service shall be deemed complete.
Scoping Information ⫘
Purchasing options for the assessment are small, medium, and large, and the type of web application is used to determine the appropriate size.
| Scope | Description |
|---|---|
| Web Application Security Assessment - Small | Standard Applications: Outlook Web Access, Wordpress, Drupal, Joomla Custom Applications: Simple web application with a limited amount of inputs and dynamic pages. Example: Basic authenticated client portal |
| Web Application Security Assessment - Medium | Standard Application: SharePoint Custom Applications: Moderately complex authenticated application with a substantial amount of inputs and dynamic pages, plus one of the following: Multi-tenant user management, More than 20 REST API/AJAX methods, Extensive customizable reporting, or a Complex ecosystem exposed to the end user (Multiple database, user-facing cloud storage, etc) Example: E-commerce customer web site |
| Web Application Security Assessment - Large | Standard Applications: SAP, BI Custom Applications: Complex authenticated application with a substantial amount of inputs and dynamic pages, including multiple of the following: Multi-tenant user management, More than 20 REST API/AJAX methods, Extensive customizable reporting, or a Complex ecosystem exposed to the end user (Multiple database, user-facing cloud storage, etc) Example: Human Resources SaaS Solution |
Work is conducted during business hours of the Secureworks consultant. After-hours feature is available for an additional cost.
The complete Service Description for this service can be found here: Web Application Security Assessment