Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Application security testing requirement gathering questionnaire

Posted on 2015-02-13
3
Medium Priority
?
1,110 Views
Last Modified: 2015-02-15
Hello
I have been searching for the list of basic questions that may be asked to the esteemed client for security assessment and penetration testing requirement gathering. I tried to search on google without much success. Kindly help.

TIA
0
Comment
Question by:PERF_ETC79
3 Comments
 

Author Comment

by:PERF_ETC79
ID: 40609257
I am working on the below links hope it helps others who need them

      
http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
http://web.stanford.edu/group/security/securecomputing/SU_Security_Assess_v3.html

I will prepare the concise list and share it here soon....
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40609840
Before embarking on a pen test on a client you need to CYA and see what you are specifically allowed to and specifically NOT allowed to do.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40610342
Do check out the below which has quite a useful list for pre-engagement and intelligence gathering.

a) Penetration testing standard (PTES) - good that it formulate also with different stakeholders in mind, not same bag of qns http://www.pentest-standard.org/index.php/Pre-engagement#Questionnaires
> Example of quick questionaire is from Carnegie Mellon University
https://www.cmu.edu/iso/service/sec-assess/Assessment%20Questionnaire.doc

b) Open Source Security Testing Methodology (OSSTM) based penetration - quick summary for a start off engagement esp for the business owner cum analyst (IT savvy is good).  http://media.pathmaker-group.com/wp-content/uploads/2012/01/pentestscope.pdf
> Establish the rule of engagement using the OSSTM reference (not latest but relevant ) http://isecom.securenetltd.com/osstmm.en.2.1.pdf

I also encourage the other references below to below as it minimally aid the question formation in your coverage for the key process and methodology involved i.e. Planning and Preparation, Information Gathering and Analysis, Vulnerability Detection, Penetration Attempt, Analysis and Reporting and Cleaning Up.

Importantly, the rule of engagement need consensus from system owner supported by custodian as well as neutral prior to your testing and the scope of targets. Do have a baseline and be prepared to adjust and verify again whether this applies on the test scope and targets with designated point of contact. Some of the assessment plan should answer these basic questions:

 What is the scope of the assessment?
 Who is authorized to conduct the assessment?
 What are the assessment’s logistics?
 How should sensitive data be handled?
 What should occur in the event of an incident?

Ref - NIST SP800-115 (Technical Guide to Information Security Testing and Assessment)
Also identify nontechnical test activities that will take place, and includes information to help identify the types of policies, procedures, and other documents that should be reviewed. If interviews or site surveys are to be conducted, guidelines should be established for advance approval of the interview list and questions.

c) OWASP (web appl) testing - checklist where test coverage should not be lacking and stay focus on necessity weakness
https://www.owasp.org/index.php/Testing_Checklist
> Cheatsheet to summarise the appl testing coverage https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

There are other such as Cigital's BSIMM or OWASP's OpenSAMM more of maturity model but the above will focus more on testing rather than the development progression which can be your next engagement on control maturity with organisation growth (apologies I digress)
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question