Solved

Application security testing requirement gathering questionnaire

Posted on 2015-02-13
3
668 Views
Last Modified: 2015-02-15
Hello
I have been searching for the list of basic questions that may be asked to the esteemed client for security assessment and penetration testing requirement gathering. I tried to search on google without much success. Kindly help.

TIA
0
Comment
Question by:PERF_ETC79
3 Comments
 

Author Comment

by:PERF_ETC79
ID: 40609257
I am working on the below links hope it helps others who need them

      
http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
http://web.stanford.edu/group/security/securecomputing/SU_Security_Assess_v3.html

I will prepare the concise list and share it here soon....
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40609840
Before embarking on a pen test on a client you need to CYA and see what you are specifically allowed to and specifically NOT allowed to do.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40610342
Do check out the below which has quite a useful list for pre-engagement and intelligence gathering.

a) Penetration testing standard (PTES) - good that it formulate also with different stakeholders in mind, not same bag of qns http://www.pentest-standard.org/index.php/Pre-engagement#Questionnaires
> Example of quick questionaire is from Carnegie Mellon University
https://www.cmu.edu/iso/service/sec-assess/Assessment%20Questionnaire.doc

b) Open Source Security Testing Methodology (OSSTM) based penetration - quick summary for a start off engagement esp for the business owner cum analyst (IT savvy is good).  http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
> Establish the rule of engagement using the OSSTM reference (not latest but relevant ) http://isecom.securenetltd.com/osstmm.en.2.1.pdf

I also encourage the other references below to below as it minimally aid the question formation in your coverage for the key process and methodology involved i.e. Planning and Preparation, Information Gathering and Analysis, Vulnerability Detection, Penetration Attempt, Analysis and Reporting and Cleaning Up.

Importantly, the rule of engagement need consensus from system owner supported by custodian as well as neutral prior to your testing and the scope of targets. Do have a baseline and be prepared to adjust and verify again whether this applies on the test scope and targets with designated point of contact. Some of the assessment plan should answer these basic questions:

 What is the scope of the assessment?
 Who is authorized to conduct the assessment?
 What are the assessment’s logistics?
 How should sensitive data be handled?
 What should occur in the event of an incident?

Ref - NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
Also identify nontechnical test activities that will take place, and includes information to help identify the types of policies, procedures, and other documents that should be reviewed. If interviews or site surveys are to be conducted, guidelines should be established for advance approval of the interview list and questions.

c) OWASP (web appl) testing - checklist where test coverage should not be lacking and stay focus on necessity weakness
https://www.owasp.org/index.php/Testing_Checklist
> Cheatsheet to summarise the appl testing coverage https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

There are other such as Cigital's BSIMM or OWASP's OpenSAMM more of maturity model but the above will focus more on testing rather than the development progression which can be your next engagement on control maturity with organisation growth (apologies I digress)
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question