Step - Download as DOC

Document Sample
Step - Download as DOC Powered By Docstoc
					                                  Small Business Checklist for
                                      Evaluating an ASP

        Step                       Reason                          Tools/References
1.      Review information         Provides background for
        on application. All        evaluating function of
        printed materials,         app for business.
        sales documents,
        and contact
2.      Summarize what the         Provides summary for
        application will be        evaluation/report to
        used for, how it will      management. Basis for
        be used, and by            rating the criticality of the
        whom. Specify              data at the ASP.
        what information
        the ASP holds.
3.      Contact the                Written permission for
        application                testing is absolutely
        developer or               necessary. Be prepared
        company                    to outline which tools you
        representative to          will be using—and what
        establish testing          their effect on the
        boundaries and get         application may be.
        written permission
        for testing from
        them before any
        actual testing is
3a.     If possible, get a
        separate admin and
        user account strictly
        to use for testing.
3b.     Ask for any policies       Open ended questions
        related to server          can provide a good
        patching-who               foundation for an
        watches for new            evaluation
        vulnerabilities in this
3c.     Ask for policies           Length, pw history,
        related to passwords       complexity-how does
                                   their application handle
3d.     Ask for any third          Have they been
        party security             evaluated/certified by an
        certification              outside company?
        documentation and

     REV 1.1 August 2003
3e.      Ask for general         How is their application
         information about       structured? Web server
         firewall/perimeter      in a DMZ/ db server on a
         protection.             trusted net? Or
                                 everything on one box?
                                 Are other websites hosted
                                 on the same server?
3f.      Ask for general         Do they use an      
         information about       application level firewall?
         application level
3g.      Ask about               Will you be able to glean
         logging/auditing of     information from these
         application-do they     logs in the case of a
         log IP info,            security incident?
         username/pw info,
         time of day
         information. How
         long are logs kept?

3h.      Explain in detail the   Inform them well so that
         process <your           there are no surprises
         company> uses to        when you are testing… it
         evaluate an             may be a good idea to list
         application/server.     your tools if they seem
                                 reluctant or hesitant.
3i.      Determine the level     Do they have a
         of QA and code          process/personnel for QA
         review.                 testing and code review-
                                 is it the people who are
                                 responsible for
                                 developing the code?
3j.      Ask about insurance     Do they carry ―cyber
         coverage.               insurance‖ that would
                                 provide coverage for
                                 security related events?
3k.      Ask what their          Do they encrypt all data
         process is in regards   in all databases? If you      1400/sb_1386_bill_20020926_chaptered.html
         to California Law SB    have customer
         1386.                   identifiable information
                                 and have California
                                 customers, what would
                                 be the ASP’s process for
                                 notification? Are they
                                 prepared to assist with
3l.      Confirm the web-        Verify this in the testing
         server OS and           phase.

      REV 1.1 August 2003
3m      Ask for any            Open ended questions –
.       additional             let them talk about their
        information that the   application and network
        developer or           environment.
        representative may
        provide that would
        be helpful in
        evaluating the
4       Review provided        Create an application
        documentation to       specific checklist from the
        establish auditable    information provided to
        items.                 you.
5.      Web Server FQDN        Identify the specific         -NSLookup (online tool)
        and IP Address         server you’ll be testing.

                                                             -WHOIS information
6.      Network testing—       See what is open to the       -GFI LANscanner
        port scan              Internet—is it just ports
                               80 and 443? (HTTP and
                               HTTPS) What else is           -nMap

7.      Site Map               Will enable you to            -Achilles
                               view/search source code
                               for sensitive information:
                                 • hidden                    -Black Widow
                                 • <!—             
                                 • NAME=GENERATOR
                                 • METHOD=GET
                                 • Copyright

                               Are there any third-party
                               products used? Have
                               known defaults for these
                               products been tested?
8.      Webserver and OS       Revealed in headers—can       Online tool
        versions               view in Achilles logfiles
                               Is this information
                               aligned with what you
                               discovered in the
                               interview process in step

     REV 1.1 August 2003
9.      Authentication and     Is SSL configured            Use ―What’s that SSL site running?‖ on Netcraft
        encryption             correctly-is it user
                               friendly?                    CTR-I using Netscape browser will provide encryption
                               List certificate related
                               browser warning, if any.

                               Any pages containing a
                               mix of
                               encrypted/plaintext data?

                               Document all SSL ciphers
                               allowed by site.

10.     Sign-on Issues         Friendly error messages?     Webcracker 4.0
                               Can accounts be brute-
                               force attacked?
                               Can passwords be
11.     Session-level Issues   Does the site allow
                               How long is the inactivity
12.     Other security         Nikto performs a             NIKTO
        issues- this step      comprehensive, fairly
        MAY be optional        obvious scan-if you want
        because of the         to use Nikto on the ASP
        nature of the tool.    site, MAKE SURE you
                               describe your process
                               and the tool in detail to
                               the people responsible for
                               the site.
13.     Transaction-level-     Where are hidden form        Odysseus
        from mirrored site     elements used? Does
        info                   manipulating them            us
                               adversely affect the
                               Document any server-
                               generated error visible to
                               a remote user.
                               Where are GETS used for
                               user input?

     REV 1.1 August 2003

Shared By: