www.niit-tech.com

At the Heart of Vulnerability Management

Security Testing: Ensure Complete Business Integrity

Security testing services are based on the principles of confidentiality, integrity, availability, authentication, authorization, and access control. The alarming increase in the number and frequency of significant breach incidents from external and internal attackers has made it critical for organizations to secure all three fundamental access points to their digital data—the network, the hardware, and the software—that support business operations. Organizations spend a large chunk of their revenue on security testing programs that are often plagued by an unplanned approach. NIIT Technologies helps develop an effective, balanced line to security testing, saving time and resources, and protecting from damage to reputation.

Address Vulnerabilities at a Low Cost Secure Architecture: In the security architecture document, we help create a list of Frequent and rapid changes in the recommended software frameworks, services, application software leave it prone to several and other software components, and develop security flaws. Many organizations perform a list of guiding security principles as a security testing after releasing the product checklist against detailed designs. for manufacturing. This results in huge costs The NIIT Technologies Security Testing and resources needed to plug the security services helps clients: flaws. To ensure that vulnerabilities are addressed faster, it is important to introduce  Increase assurance and customer security during the Software Development confidence Lifecycle (SDLC). During each phase of the  Reduce risks before releasing in the security development program, appropriate production system security testing activities must be performed  Prioritize risk remediation effort  Comply with industry best practices in to ensure that the software is defect-free security before it is released for production.  Save big on cost and resources The cost to fix security vulnerability found in NIIT Technologies Security Testing services production is 6.5 times higher than that offer an effective means to handle your found in the SDLC phase. By introducing business challenges: security into the software development lifecycle, NIIT Technologies enables Challenges Solutions organizations to meet customer demands with secure products and services.  Growth of rich  Risk assessment, threat Internet modeling assessment, Our Solution applications and Vulnerability Assessment and technologies Penetration Testing (VAPT) The NIIT Technologies solution has a  Regulatory  Follow best practices of three-pronged approach to ensuring requirement regulatory compliance complete client satisfaction: standards such as Sarbanes–Oxley Act (SOX), Education: We educate the development and Health Insurance Portability testing teams about the objective of security and Accountability Act (HIPAA), Payment Card testing and common security issues. Industry Data Security Standard (PCI DSS) Security Requirements: We review projects  and specify security requirements based on Third-party  White-box testing (secure utilities code review) functionality. We help analyze compliance integration and and best-practice security guidance dependency documents to derive additional  User ignorance  Security awareness training requirements. about security for the user Introducing Security Testing Services the standard development process. Security in SDLC testing in different SDLC phases ensures that appropriate security testing services are By integrating security in the SDLC phase, implemented. An outline of relevant services in organizations can ensure that secure different phases of the SDLC process is given. development activities are performed as part of

Security Services in SDLC

Product Design and Requirement Architecture Development Testing Release Maintenance

Vulnerability Vulnerability Security Network & Security Secure Coding, Assessment Assessment Architecture Server Requirement & Testing, and and and Review & Configuration Risk Assessment Best Practices Penetration Penetration Threat Modeling Testing Review Testing

Define Design Develop Deploy Maintain

The security testing services program is tools. The developers are dependent on the divided into five stages with different kinds of results of the source code analysis to verify that security assessments performed to save costs the developed source code does not include and resources while protecting from damage potential vulnerabilities and is compliant with to the brand. the best practices of secure coding.

Define: To have a successful testing program, Deploy: When all the phases of development organizations must first understand the are completed, the application is deployed on testing objectives. These objectives are the staging or the testing server. Penetration specified by the security requirements. It also testing and security testing are performed on discusses how security requirements the application and the network. The tester effectively drive security testing during SDLC acts like an attacker and tries to exploit the and how security test data can be used to software with black box and grey box security effectively manage software security risks. The testing techniques. first step before documenting security requirements is to understand business Maintain: The aim of security assessment is requirements. A business requirement identification of gaps in security controls such document can provide initial high-level as lack of basic authentication, authorization, information on the expected functionality of or encryption controls. Maintaining security the application. assessment requires controls to measure the effectiveness of the security program. Security Design: Manual inspections and review are test metrics can support security risk, cost, important activities in SDLC. In this stage, and defect management analysis by reducing inspection of architectural diagrams and overall vulnerabilities by up to 25% and review of the system is carried out. Threat prioritizing and fixing high and medium impact models are created as early as possible in issues within the deadline. SDLC for risk assessment of applications. This enables designers to develop mitigation strategies for potential vulnerabilities and helps them focus on limited resources and parts of the system that require it. Develop: Secure code review and testing during this phase of development enables organizations to find bugs. It is also called white-box testing as static analysis of the code is performed during this phase. Bugs in the source code are found manually or with automated Security Threats Demand Capabilities Penetration Testing: Penetration testing of of a Technology Vendor application and network is one of the important activities during security testing Services Advantage: Our Security Testing because it is performed before the product is services program reduces the risk level of released for production. To secure the security flaws and insecure software to around environment, best practices of 80% and saves the organization from industry-specific standards (OWASP, SANS, monetary and brand value loss. According to OSTMM) of security testing are followed. Forbes.com, the cost of security flaws for an economy is estimated at $180 billion a year, Vulnerability Management: Create security and recovery cost is estimated at $216 million testing metrics with a baseline to mitigate a year. The National Institute of Standards and vulnerabilities. In this process, priority is given Technology (NIST) reported that the cost of to high and medium impact issues. fixing a bug during testing is estimated at $30,000 whereas the cost of fixing the bug Security Testing Deliverables during coding is $5,000. We have performed security testing for multiple clients in various domains such as airlines, retail, banking and finance, Less transportation, and insurance. Following are Expensive the security testing deliverables for clients based on their requirement:

More Testing Types Deliverables Vulnerabilities Time Coverage Saving  Manual inspection  Maturity model, Web and review security risk assessment More  Code review  Secure code review Secure report

 Scanning  Web application scanning report, network scanning Threat Assessment: Build a threat model report based on the documents and information  Penetration testing  Artefact report, received from the business team for each type penetration testing of environment. This model helps to identify report the criticalities of various threats and their impact on the business during the development process. Security Testing Technique We follow Design Review: Identify the entry points industry-specific Open Web Application (attack surface/defense perimeter) in software Security Project (OWASP), Open Source designs. Once the entry points are identified, Security Testing Methodology Manual analyze software designs against known (OSSTMM), SANS, and Web Application security risks. Security Consortium (WASC) security testing Code Review: Create best practices of standards. Our vulnerability assessment secure coding standards for the service is designed to identify security flaws in development team to help them know what an organization’s external and internal kind of security mechanisms can be environment that an attacker can exploit. It implemented during coding. This helps to also identifies vulnerabilities ranked by risks. reduce the effort of the development team for remediation of bugs by 60%. Our Approach to Security Testing

 Scope and strategy of the assignment is determined Planning Phase  Existing security policies, standards are used for defining the scope

 Collect as much information as possible about the system including data, user names, and even passwords Discovery Phase  Scan and probe into the ports

 Check for vulnerabilities and follow the industry security testing standards—OWASP, SANS, WASC  VAPT techniques involved in this phase Attack Phase  Various exploits can be created

 Report must contain detailed findings  Record risks of vulnerabilities found and their impact on business Reporting Phase  Prepare artefact document for all the known vulnerabilities  List recommendations and solutions Our Risk Metric Model the industry to do more than 1.5 million chauffeur-driven journeys every year. The client collects, stores, and transmits customer Test Name Status Risk data internally utilizing heavy encryption and Authentication top-tier equipment. Verify all pages and resources that require authentication Done H except those specifically intended to be public. Business Scenario Verify enforcement of all authentication controls on the Done M server side. The client wanted security of both the Web Session Management and mobile applications with built-in security Verify that the framework’s default session management control implementation is used by the Not Done H controls before the rollout. The current system application. presented the following challenges: Verify that sessions are invalidated when the user logs out. Done L  Customer information was vulnerable to data Access Control breaches and attacks; this led to information Verify that users only access secured functions or Not Done H services for which they possess specific authorization. leakage and loss of sensitive data Verify that users can only access secured URLs for which they possess specific authorization. Not Done H  Unsafe and insecure ticket booking mechanism Input Validation Verify that the runtime environment is not susceptible  Complex multi-city and multi-platform to buffer overflows, or that security controls prevent Not Done H buffer overflows. operation of the application Verfiy that all input validation failures result in input Done M  Difficulty in handling third-party integration rejection. with the application Cryptography at Rest Verification Requirement Verify that all cryptographic functions used to protect secrets from the application user are implemented on Not Done H Our Solution the server side.

Verify that all cryptographic modules fail securely. Not Done H NIIT Technologies’ execution approach was Error Handling and Logging Verification Requirement divided into four phases: Verify that the application does not send error messages or stack traces containing sensitive data that Not Done M 1. Planning could assist an attacker, including session id.  Scope analysis of the security testing Verify that all error handling is performed on trusted devices. Not Done M requirement performed Data Protection Verification Requirement  Rules of engagement, test plans, and Verify that all forms containing sensitive information have disabled client side caching, including auto Not Done H written permission developed and signed complete features.  The standard time set for security testing Verify that the list of sensitive data processed by this application is identified, and that there is an explicit Not Done H does not affect the client production server policy on how to access this data.  Timeline for each security testing activity set Overall Status Risk Metric  Demo of the application carried out to H M L Done 92 182 understand its behavior and what it does 30% Total Volume 155 43%  Test data of the application generated for 27% Completion Status 51% security testing 2. Discovery  Vulnerability analysis of services and applications was carried out Success Story: Multi-Channel Security  Operating systems of scanned hosts were compared against vulnerability databases Testing Application Security for a 3. Attack Client with Presence in 1000 cities  Vulnerability scan of the Web application The client, with a global network and presence was performed with the security testing in 1,000 cities, is the only franchise network in tool ‘Acunetix’  Manual penetration testing of the Web  Provided proactive strategy for security application was performed using open testing source and free edition tools such as Burp  Ensured strict compliance with industry best Suite, Dirbuster, OpenSSL. It covered practices atleast the top 10 vulnerabilities of the OWASP in all iterations The NIIT Technologies Advantage  Mobile security testing was performed on an Android simulator, and devices with Our security testing services not only test Web various open source tools such as Android applications and software, but also deliver SDK, dex2jar, agnitio, apktool effective and unique services. Our proven testing  Static and dynamic analysis of mobile approach with open source tools for manual application was performed penetration of Web applications is very effective and enhanced. It also covers industry-specific 4. Reporting OWASP, SANS, WASC vulnerabilities without  A separate report after performing using any commercial tools. automated and manual security testing was created; it was customized for the For a balanced approach, our security testing management and the developer maturity model quantifies best practices of  A step-by-step security testing report security used by applications. The uniqueness mentioning vulnerabilities was published; of this model has been implemented on new it included risk impact, risk severity, and and existing projects of the organization. It recommended solutions for the issues prioritizes the organization effort for security vulnerabilities because it shows the security  The final published report ensured that all risk exposure in terms of authentication, the vulnerabilities had been mitigated by session management, authorization, and the development team access control. Reduced costs, manpower, and faster turnaround time are some of the Value Delivered benefits to our clients.

 Increased assurance and client confidence  Saved time and money by prioritizing efforts on mitigation For more information, contact [email protected]

© 2019 NIIT Technologies. All rights reserved. NIIT Technologies is a leading global IT solutions organization, enabling its clients to transform at the intersect of unparalleled domain expertise and emerging technologies to achieve real-world business impact. The Company focuses on three key verticals: Banking and financial services, Insurance, Travel and Transportation. This domain strength is combined with leading-edge capabilities in Data & Analytics, Automation, Cloud, and Digital. With over 10,000 employees serving clients across Americas, Europe, Asia, and Australia, NIIT Technologies fosters a culture that promotes innovation and constantly seeks to find new yet simple ways to add value for its clients. Learn more

about NIIT Technologies at www.niit-tech.com C_26_220616

Stay connected: