Solved

Application security testing requirement gathering questionnaire

Posted on 2015-02-13
3
730 Views
Last Modified: 2015-02-15
Hello
I have been searching for the list of basic questions that may be asked to the esteemed client for security assessment and penetration testing requirement gathering. I tried to search on google without much success. Kindly help.

TIA
0
Comment
Question by:PERF_ETC79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:PERF_ETC79
ID: 40609257
I am working on the below links hope it helps others who need them

      
http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
http://web.stanford.edu/group/security/securecomputing/SU_Security_Assess_v3.html

I will prepare the concise list and share it here soon....
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40609840
Before embarking on a pen test on a client you need to CYA and see what you are specifically allowed to and specifically NOT allowed to do.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40610342
Do check out the below which has quite a useful list for pre-engagement and intelligence gathering.

a) Penetration testing standard (PTES) - good that it formulate also with different stakeholders in mind, not same bag of qns http://www.pentest-standard.org/index.php/Pre-engagement#Questionnaires
> Example of quick questionaire is from Carnegie Mellon University
https://www.cmu.edu/iso/service/sec-assess/Assessment%20Questionnaire.doc

b) Open Source Security Testing Methodology (OSSTM) based penetration - quick summary for a start off engagement esp for the business owner cum analyst (IT savvy is good).  http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
> Establish the rule of engagement using the OSSTM reference (not latest but relevant ) http://isecom.securenetltd.com/osstmm.en.2.1.pdf

I also encourage the other references below to below as it minimally aid the question formation in your coverage for the key process and methodology involved i.e. Planning and Preparation, Information Gathering and Analysis, Vulnerability Detection, Penetration Attempt, Analysis and Reporting and Cleaning Up.

Importantly, the rule of engagement need consensus from system owner supported by custodian as well as neutral prior to your testing and the scope of targets. Do have a baseline and be prepared to adjust and verify again whether this applies on the test scope and targets with designated point of contact. Some of the assessment plan should answer these basic questions:

 What is the scope of the assessment?
 Who is authorized to conduct the assessment?
 What are the assessment’s logistics?
 How should sensitive data be handled?
 What should occur in the event of an incident?

Ref - NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
Also identify nontechnical test activities that will take place, and includes information to help identify the types of policies, procedures, and other documents that should be reviewed. If interviews or site surveys are to be conducted, guidelines should be established for advance approval of the interview list and questions.

c) OWASP (web appl) testing - checklist where test coverage should not be lacking and stay focus on necessity weakness
https://www.owasp.org/index.php/Testing_Checklist
> Cheatsheet to summarise the appl testing coverage https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

There are other such as Cigital's BSIMM or OWASP's OpenSAMM more of maturity model but the above will focus more on testing rather than the development progression which can be your next engagement on control maturity with organisation growth (apologies I digress)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question