http://www.e-spincorp.com website [email protected] email SERVICE DESCRIPTION WEB APPLICATION SECURITY SCANNING Prepared By: Vincent Lim Group General Manager Solutions and Business Consulting E-SPIN Group of Companies PROPRIETARY NOTICE This proposal contains confidential information of E-SPIN, which is provided for the sole purpose of permitting the receipt to evaluate the proposal submitted herewith. In consideration of receipt of this proposal, the receipt agrees to maintain such information in confidence and not to reproduce or otherwise disclose this information to any person outside the group directly responsible for evaluation of its contents. There is no obligation to maintain the confidentiality of any information which was known to the recipient prior to receipt of such information from E-SPIN, or becomes publicly known through no fault of recipient, or is received without obligation of confidentiality to E-SPIN. © E-SPIN ALL RIGHT RESERVED. TABLE OF CONTENTS PROPRIETARY NOTICE ............................................................................................................................................... 2 TABLE OF CONTENTS ................................................................................................................................................. 3 LIST OF FIGURE .................................................................................................................................................................. 6 EXECUTIVE SUMMARY .............................................................................................................................................. 7 WEB APPLICATION SECURITY SCANNING SERVICE ...................................................................................................................... 8 OUR APPROACH ...................................................................................................................................................... 10 SCOPE OF WEB APPLICATION SECURITY ASSESSMENT ............................................................................................................... 11 Study on Relevant Security Policies/Guidelines service (if subscribe) .............................................................................. 12 Internal Security Assessment Covers Web Application, Operating System, Databse, Web Server (if subscribe) ............ 12 External Penetration Testing ........................................................................................................................................... 25 Network, System, Database, Server, web Application, Data, process Security Recommendation .................................. 25 STATEMENT OF SCOPE OF SERVICE WORK (SOW) .................................................................................................................. 26 Out-of-Scope .................................................................................................................................................................... 26 Deliverables ..................................................................................................................................................................... 27 Client’s Responsibilities ................................................................................................................................................... 28 PROJECT TASKS ................................................................................................................................................................ 28 SAMPLE AGREEMENT ........................................................................................................................................................ 29 SAMPLE NON-DISCLOSURE AGREEMENT (NDA) .................................................................................................................... 30 ASSESSMENT TOOLS ......................................................................................................................................................... 32 Acunetix Web Application Vulnearbilities Scanner and Reporter .................................................................................... 32 GFI LANGuard Network Security Scanner and Port Scanner ........................................................................................... 32 Nessus.............................................................................................................................................................................. 32 SamSpade ........................................................................................................................................................................ 32 Wget ................................................................................................................................................................................ 33 Domtools ......................................................................................................................................................................... 33 © E-SPIN ALL RIGHT RESERVED. NetScanTools ................................................................................................................................................................... 33 hping ................................................................................................................................................................................ 33 Firewalk ........................................................................................................................................................................... 33 Nmap ............................................................................................................................................................................... 33 Netcat .............................................................................................................................................................................. 34 feszer ............................................................................................................................................................................... 34 Cerberus WebScan ........................................................................................................................................................... 34 WebProxy ........................................................................................................................................................................ 34 Nbtdump ......................................................................................................................................................................... 34 Tcpdump .......................................................................................................................................................................... 34 dsniff ................................................................................................................................................................................ 35 Ethereal ........................................................................................................................................................................... 35 Strobe .............................................................................................................................................................................. 35 SARA ................................................................................................................................................................................ 35 Cheops ............................................................................................................................................................................. 35 DumpSec .......................................................................................................................................................................... 35 enum ................................................................................................................................................................................ 36 ITS4 .................................................................................................................................................................................. 36 Stunnel ............................................................................................................................................................................. 36 Whisker ............................................................................................................................................................................ 36 Juggernaut ....................................................................................................................................................................... 36 Hunt ................................................................................................................................................................................. 37 IRPAS ............................................................................................................................................................................... 37 Nemesis ........................................................................................................................................................................... 37 Egressor ..........................................................................................................................................................................