1. Executive Summary:
SecIQ is pleased to present this proposal to “X company” for conducting Penetration testing of “X company” web application for “X company”. This proposal outlines the details regarding the web application Penetration testing Services to assess the Security Robustness of “X company” web Application.
Through this assessment SecIQ will aim to determine any potential vulnerabilities that can adversely affect the application. Identify the level of access and data a potential attacker could obtain with the current security posture of these application and also provide necessary fix recommendations to help improve the over-all security posture of Loanwiz application.
The overall objectives of this exercise is to:
• Perform vulnerability assessment and Penetration testing on “X company” applications to assess the current security posture from attacker’s point of view.
• Test for the commonly known vulnerabilities across the industry and also business-logic flaws specific to “X company” application functionalities.
• Identify and prioritize the potential security vulnerabilities, which may be discovered in the application\ APIs and gain a better understanding of the applications and vulnerabilities.
• Identify remedial solutions and recommendations for making the application(s) secure.
3. Scope, Approach and Methodology:
The scope of this assessment will be confined to:
1. “X company” web application
2. The assessment will cover the following domain(s)/ APIs: <to be updated>
Note: All the testing will be done on the given staging environment.
Out of Scope:
• Testing of any other “X company” domain/ Mobile application.
3.2 Approach :
• Whitebox approach: A high-level walk-through of the architecture and the application functionalities will be presented by “X company”. This will help us better test your application thoroughly and focus on the business-critical functionalities that you recommend. Testing will be performed as valid authenticated users (using different privileged user roles).
“X company” app will be assessed using the OWASP testing framework. This assessment will focus on delivering High quality security testing through deepest expertise in manual security assessments, combined with the power of automation, to help you identify and remediate vulnerabilities – before a hacker does. Overall assessment will cover the following phases:
1. Application Profiling\ Reconnaissance:
o Gather understanding about the application (Overall Architecture, Technology\ platforms, frameworks, dependencies, user roles etc).
o Analyzing the various functionalities\ use-cases within the application.
2. Web-application Mapping and testcase generation:
o Applications are divided into core modules and functional areas.
o Each module is thoroughly analyzed to understand the functionalities, requests\ API calls and parameters.
o Mobile application will be reverse engineered to identify files, folders and parameters.
o Data flow between components is mapped along with their logical relationships.
o Create test cases based on business-critical functionalities, use-cases and derive the potential abuse scenarios.
3. Vulnerability assessment & Business logic testing:
o Perform manual assessment based on the generated testcases to identify potential vulnerabilities
o Perform automated vulnerability assessment using opensource and custom tools.
o The identified issues will be exploited further to:
Validate the impact\ worst-case scenario of the identified issue and the potential damage that an adversary can cause to the application.
Gain access over the data to demonstrate possibilities of attack vectors that lead to the loss of sensitive data.
o Data from automated and manual testing is cross-referenced and correlated to establish a final list of issues.
o Document details of identified vulnerabilities, descriptions, Severity\ impact, proof of concepts and references specific to your web-applications.
o Step by step POCs and fix recommendations are documented to help your teams understand the vulnerabilities.
o Application will be re-tested in the subsequent assessment to confirm if the identified vulnerabilities are completely fixed.
Following deliverables will be presented to “X company” at the end of this assessment:
• A detailed vulnerability report containing all the following details:
o Issue summary
o Impact\Risk rating as High, Medium or Low
o Risk score (CVSS or CWSS score as applicable or risk score agreed with “X company”)
o Evidence / screenshot of the issue
o Recommendations, Architectural suggestions, Technical solutions or workarounds to fix the issue.
• Walkthrough of the identified issues to demonstrate the exploitation possibilities from a malicious user’s perspective.
4. Estimated Effort & Pricing
• Considering the size\ complexity, business critical functionalities and function points of “X company” application, the overall effort to complete this assessment will be ~3 weeks. This includes completion of all the phases as outlined in Section 3.3.
• Given below is the pricing details for this engagement:
Description of Service – Continuous Engagement Model Annual Cost
1. Web Application Penetration Testing of “X company” application.
o One-time assessment
o Validation of over-all application – with focus on Business-critical modules/functionalities
o One round of revalidation of the identified vulnerabilities
• Price Quoted for the penetration testing is confined to the application in scope (as listed in section 3.1).
• The price quoted for penetration testing assumes that all work is carried out offshore - in SecIQ office (Monday to Friday local time).
• The price quoted does not reflect any Travel & Lodging expenses, which will be applicable, in the case the engagement requires travel outside Bangalore.
• The price quoted includes cost of tools, as required for the penetration testing only.
• All rates are in INR. TBD
Net Cost TBD
Total Cost TBD
• Stable test environment is available throughout the engagement for testing.
• SecIQ security researchers are provided with the access credentials for various roles to be tested.
• Non-Disclosure Agreement will be signed by both parties to ensure the confidentiality of data.
• OWASP: The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web & Mobile application security.
• Burp-Suite: Burp or Burp Suite is a graphical tool that will be used for this testing. The tool is written in Java and developed by PortSwigger Web Security. It works as a web proxy and helps in performing manual exploitations.
• Mobile Security Guide: The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
• Secure Development Life-Cycle (SDL) - It’s the process of integrating security throughout all phases of the development lifecycle, helping developers build highly secure software and address security compliance requirements.