Solved

Application security testing requirement gathering questionnaire

Posted on 2015-02-13
3
776 Views
Last Modified: 2015-02-15
Hello
I have been searching for the list of basic questions that may be asked to the esteemed client for security assessment and penetration testing requirement gathering. I tried to search on google without much success. Kindly help.

TIA
0
Comment
Question by:PERF_ETC79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:PERF_ETC79
ID: 40609257
I am working on the below links hope it helps others who need them

      
http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
http://web.stanford.edu/group/security/securecomputing/SU_Security_Assess_v3.html

I will prepare the concise list and share it here soon....
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40609840
Before embarking on a pen test on a client you need to CYA and see what you are specifically allowed to and specifically NOT allowed to do.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40610342
Do check out the below which has quite a useful list for pre-engagement and intelligence gathering.

a) Penetration testing standard (PTES) - good that it formulate also with different stakeholders in mind, not same bag of qns http://www.pentest-standard.org/index.php/Pre-engagement#Questionnaires
> Example of quick questionaire is from Carnegie Mellon University
https://www.cmu.edu/iso/service/sec-assess/Assessment%20Questionnaire.doc

b) Open Source Security Testing Methodology (OSSTM) based penetration - quick summary for a start off engagement esp for the business owner cum analyst (IT savvy is good).  http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
> Establish the rule of engagement using the OSSTM reference (not latest but relevant ) http://isecom.securenetltd.com/osstmm.en.2.1.pdf

I also encourage the other references below to below as it minimally aid the question formation in your coverage for the key process and methodology involved i.e. Planning and Preparation, Information Gathering and Analysis, Vulnerability Detection, Penetration Attempt, Analysis and Reporting and Cleaning Up.

Importantly, the rule of engagement need consensus from system owner supported by custodian as well as neutral prior to your testing and the scope of targets. Do have a baseline and be prepared to adjust and verify again whether this applies on the test scope and targets with designated point of contact. Some of the assessment plan should answer these basic questions:

 What is the scope of the assessment?
 Who is authorized to conduct the assessment?
 What are the assessment’s logistics?
 How should sensitive data be handled?
 What should occur in the event of an incident?

Ref - NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
Also identify nontechnical test activities that will take place, and includes information to help identify the types of policies, procedures, and other documents that should be reviewed. If interviews or site surveys are to be conducted, guidelines should be established for advance approval of the interview list and questions.

c) OWASP (web appl) testing - checklist where test coverage should not be lacking and stay focus on necessity weakness
https://www.owasp.org/index.php/Testing_Checklist
> Cheatsheet to summarise the appl testing coverage https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

There are other such as Cigital's BSIMM or OWASP's OpenSAMM more of maturity model but the above will focus more on testing rather than the development progression which can be your next engagement on control maturity with organisation growth (apologies I digress)
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FSRREMOS 7 117
Malwarebyte error running MsOffice 2010 5 94
How to get rid of this security alert once and for all 20 131
DVR Camera Security System Port Forwading 7 76
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question