Objective
Security assessment in the “risk-based, time-limited” approach is carried out on the basis of test/verification scenarios defined in collaboration with Company representatives. The auditor/tester focuses their attention on those scenarios. During the work, the auditor/tester will verify the vulnerabilities with the highest level of risk (in particular, those that can seriously affect the security attributes of the systems and the data processed by the systems – confidentiality, integrity, availability) within the limited time allocated for the work.
The “risk-based, time-limited” approach makes it possible to reduce the time and budget needed to complete an information systems security assessment. At the same time, it is ensured that test/verification scenarios can be subsequently priced and executed for other areas that are standardized in full security testing, but which are not defined in the test scenarios.
Methodology
Information systems security testing simulates the actions of typical threat actors, who usually belong to one of two groups:
– anonymous user – a user who does not have credentials that allow authentication in the target application,
– authenticated user – a user who has credentials that allow authentication in the target application.
Since authenticated users can be assigned different user roles and sets of credentials, it is important that specific user roles are selected for testing purposes. The selection should be done collaboratively by the tester and the business owner of the application.
Out of all available permissions, representative sets of user permissions (roles) will be selected to be tested for potential escalation of permissions and bypassing of accepted logic. Thus, the remaining sets of permissions, not indicated as “in scope”, will remain outside the scope of work.
Depending on the localization of the IT system, the test can be performed on-site or remotely. In the case of remote testing, with all network traffic coming from a fixed pool of IP addresses.
The “risk-based, time-limited” approach makes it possible to reduce the time and budget needed to complete an information systems security assessment. At the same time, it is ensured that test/verification scenarios can be subsequently priced and executed for other areas that are standardized in full security testing, but which are not defined in the test scenarios.
Step 1 – Meeting with Company employees
Schedule meeting with the Contasec professionals to define the problem, your company needs and find the solution.
Step 2 – Identifying test scenarios
•- identification of threats that could negatively affect the organization’s business and/or IT processes supported by the system,
•- identification of test scenarios, based on the results of the threat modeling that will be carried out as part of the planned work.
As a result of the analysis, test scenarios will be defined, which will be the starting point for the planning and execution of the work.
Test/verification scenarios may include methods of various types, such as:
– infrastructure vulnerability tests,
– penetration techniques (penetration testing),
– network traffic analysis,
– documentation analysis,
– interviews.
We conclude that our proposal of test scenarios is primarily aimed at obtaining reliable results, and secondarily to be cost-optimal, i.e., among several types of verification scenarios, the one that will reliably and efficiently verify the effectiveness of existing controls will be proposed.
If necessary, we also allow compliance testing against a mutually selected and agreed standard.
In summary, security assessment in a risk-based, time-limited approach uses selected methods to verify/test the effectiveness of security controls against identified (modeled) risks.
A full description of the methods that can be used is provided in the following pages of this offer.
Please note that:
– The testing/verification methods indicated in this offer are not a closed catalog. If necessary, we are able to offer alternative measures – due to the number of available methods, specific also to specific technologies (often unknown until the start of the analytical work) – it was not possible to include their descriptions in this offer.
– The use of a particular method does not imply the implementation of the full approach indicated in its description (we are limited only to the implementation of the planned test/verification scenario against the control under test).
Step 3 – Confirmation of test scenarios
Based on the results of the previous steps, Contasec team prepares a list of attack/verification scenarios, including:
– test scenarios anticipated to be executed by testers,
– areas defined as outside the scope of work, which are standard in full security testing and which can be priced and executed later.
If there are too many scenarios, the most important ones will be selected to fit within the allotted time for the work.
Once the scenarios are confirmed with the Company, the tester will proceed with their execution.
Step 4 – Execution of test scenarios
Depending on the chosen method of test/verification scenario execution, the relevant approach developed by Contasec team in the course of numerous security audits/tests is applied.
Given the high proportion of the use of penetration techniques in scenario verification, the following is a reference to the standards and guidelines used in the case of security testing of software interfaces.
Based on the defined and confirmed attack scenarios implemented by the security (penetration) testing method, the tests cover a number of aspects affecting the security level of the application and include selected verification requirements specified in the following documents:
– for a web application:
– OWASP Web Security Testing Guide v4.2,
. – OWASP Top 10 2021,
– OWASP ASVS 4.0.3;
– for Web Services / Web APIs:
– OWASP Web Security Testing Guide v4.2,
– OWASP Top 10 2021,
– OWASP ASVS 4.0.3,
– OWASP Web Service Security Cheat Sheet,
– OWASP REST Assessment Cheat Sheet;
– for “thick client” applications – currently, on Windows and Linux runtime platforms:
– OWASP Web Security Testing Guide v4.2,
– OWASP Top 10 2021,
– OWASP ASVS 4.0.3,
– InfoSec Institute Thick Client Application Security Testing;•
– for mobile applications – currently, on Android and iOS launch platforms:
– OWASP Mobile Security Testing Guide,
– OWASP Mobile Top 10 2016,
– OWASP MASVS 1.2 (Level 2);
– for the IT infrastructure supporting the operation of applications:
– OSSTMM (Open Source Security Testing Methodology Manual).