Solved

Application security testing requirement gathering questionnaire

Posted on 2015-02-13
3
625 Views
Last Modified: 2015-02-15
Hello
I have been searching for the list of basic questions that may be asked to the esteemed client for security assessment and penetration testing requirement gathering. I tried to search on google without much success. Kindly help.

TIA
0
Comment
Question by:PERF_ETC79
3 Comments
 

Author Comment

by:PERF_ETC79
ID: 40609257
I am working on the below links hope it helps others who need them

      
http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
http://web.stanford.edu/group/security/securecomputing/SU_Security_Assess_v3.html

I will prepare the concise list and share it here soon....
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40609840
Before embarking on a pen test on a client you need to CYA and see what you are specifically allowed to and specifically NOT allowed to do.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40610342
Do check out the below which has quite a useful list for pre-engagement and intelligence gathering.

a) Penetration testing standard (PTES) - good that it formulate also with different stakeholders in mind, not same bag of qns http://www.pentest-standard.org/index.php/Pre-engagement#Questionnaires
> Example of quick questionaire is from Carnegie Mellon University
https://www.cmu.edu/iso/service/sec-assess/Assessment%20Questionnaire.doc

b) Open Source Security Testing Methodology (OSSTM) based penetration - quick summary for a start off engagement esp for the business owner cum analyst (IT savvy is good).  http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
> Establish the rule of engagement using the OSSTM reference (not latest but relevant ) http://isecom.securenetltd.com/osstmm.en.2.1.pdf

I also encourage the other references below to below as it minimally aid the question formation in your coverage for the key process and methodology involved i.e. Planning and Preparation, Information Gathering and Analysis, Vulnerability Detection, Penetration Attempt, Analysis and Reporting and Cleaning Up.

Importantly, the rule of engagement need consensus from system owner supported by custodian as well as neutral prior to your testing and the scope of targets. Do have a baseline and be prepared to adjust and verify again whether this applies on the test scope and targets with designated point of contact. Some of the assessment plan should answer these basic questions:

 What is the scope of the assessment?
 Who is authorized to conduct the assessment?
 What are the assessment’s logistics?
 How should sensitive data be handled?
 What should occur in the event of an incident?

Ref - NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
Also identify nontechnical test activities that will take place, and includes information to help identify the types of policies, procedures, and other documents that should be reviewed. If interviews or site surveys are to be conducted, guidelines should be established for advance approval of the interview list and questions.

c) OWASP (web appl) testing - checklist where test coverage should not be lacking and stay focus on necessity weakness
https://www.owasp.org/index.php/Testing_Checklist
> Cheatsheet to summarise the appl testing coverage https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

There are other such as Cigital's BSIMM or OWASP's OpenSAMM more of maturity model but the above will focus more on testing rather than the development progression which can be your next engagement on control maturity with organisation growth (apologies I digress)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now