Web application vulnerabilities represent the largest single attack vector outside of malware. It is crucial that all web applications are assessed for vulnerabilities and that any vulnerabilities are fixed before deployment in production.

The purpose of this policy is to define the security assessments of web applications within DATAMIX.IO SAS. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication, insufficient error handling, leakage of sensitive information, etc. The discovery and subsequent mitigation of these issues will limit the attack surface of DATAMIX.IO SAS services. The discovery and subsequent mitigation of these issues will limit the attack surface of DATAMIX.IO services available internally and externally as well as satisfying compliance with all relevant policies in place.

Methods implemented

• Protection against SQL injections (SQLi) and XSS (Cross-Site Scripting) vulnerabilities.
• Protection against visitors via proxies, VPN or TOR.
• Protection against spammers and spam bots targeting your content.
• Protection module that sanitises all incoming and outgoing requests and responses.
• Module that filters vulgarities, forbidden words, malicious links, toxic phrases and other undesirable content in real time.
• Integration with the best anti-spam databases (DNSBL) to protect your site from malicious visitors.
• Intelligent pattern recognition: detection of unknown / zero-day attacks and exploits.
• Industrial-grade algorithms: detection of known hacker attacks.
• Banning system: blocking/redirecting visitors/users (IP addresses), countries, IP ranges, operating systems, browsers, ISPs and referrers.
• Block the many bad bots and crawlers that waste your site's bandwidth.
• Protection against fake bots.
• Checking headers.
• Real-time analysis of all requests.

Range

This policy covers all web application security assessments requested by any individual, group or department in order to maintain the security posture, compliance, risk management and change control of the technologies used at DATAMIX.IO.

All web application security assessments will be performed by delegated security personnel either employed or contracted by DATAMIX.IO. All findings are considered confidential and must be distributed to individuals on a "need to know" basis. Distribution of any findings outside of DATAMIX.IO is strictly prohibited unless approved by the Chief Technology Officer.

Any relationships within multi-tier applications found during the scoping phase will be included in the assessment, unless explicitly limited. Subsequent limitations and justifications will be documented prior to the start of the evaluation.

Security policy

1. Web applications are subject to security assessments based on the following criteria:

• New or major version of the application - will undergo a full evaluation prior to approval of change control documentation and/or release to the live environment.
• Third-party or acquired web application - will undergo a full assessment, after which it will be linked to the policy requirements.
• One-off releases - will be subject to an appropriate level of assessment depending on the risk of modifying the functionality and/or architecture of the application.
• Patch versions - will be subject to an appropriate assessment based on the risk of modifying the application's functionality and/or architecture.
• Emergency Releases - An Emergency Release will be authorised to waive security assessments and assume the presumed risk until an appropriate assessment can be made. Emergency releases will be designated as such by the Chief Information Officer or an appropriate manager to whom this authority has been delegated.

2. All safety issues identified during assessments must be mitigated according to the following risk levels. The risk levels are based on the PEMA risk assessment methodology. Remediation validation testing will be required to validate the remediation and/or mitigation strategies for any issues identified at the medium or higher risk levels.

• High - Any high-risk issues should be corrected immediately or other mitigation strategies put in place to limit exposure before deployment. Applications with high-risk issues may be taken offline or denied deployment in the live environment.
• Medium - Medium risk issues should be reviewed to determine what is required to mitigate them and be programmed accordingly. Medium risk applications may be taken offline or rejected in the live environment depending on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be addressed as part of a patch or point release, unless other mitigation strategies limit exposure.
• Low - The problem should be examined to determine what is needed to correct it and programmed accordingly.

3. The following security assessment levels must be established by the InfoSec organisation or any other designated organisation that will carry out the assessments.

• Full - A full assessment includes testing for all known web application vulnerabilities using automated and manual tools based on the OSTP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities in order to determine the overall risk of any discovered vulnerabilities.
• Fast - A rapid assessment will consist of a (typically) automated scan of an application for at least OWASP's top ten web application security risks.
• Targeted - A targeted evaluation is carried out to check for changes to correct vulnerabilities or new features in the application.

4. The currently approved web application security assessment tools that will be used for testing are :

• OWASP ZED ATTACK PROXY
• SECURITY GUARDIAN
• NMAP
• NESSUS
• CORE IMPACT

Other tools and/or techniques may be used depending on what is found in the fault assessment and the need to determine validity and risk are subject to the discretion of the safety engineering team.

Compliance with policies

COMPLIANCE MEASUREMENT

Team Infosec will verify compliance with this policy through a variety of methods including, but not limited to, periodic audits, video surveillance, business tool reports, internal and external audits and feedback to the policy holder.

UNDANTAG

Any exceptions to the policy must be approved in advance by the Infosec team.

ICKE-ÖVERENSSTÄMMELSE

An employee who breaches this policy may be subject to disciplinary action up to and including dismissal.

Evaluations of web applications are a requirement of the change control process and must comply with this policy, unless it is determined that they are exempt. All versions of applications must go through the change control process. Any web application that does not comply with this policy may be taken offline until a formal assessment can be completed, at the discretion of the Chief Information Officer.

Standards, policies and related processes

• OWASP TOP TEN Project
• OWASP Testing Guide
• OWASP Mobile Security Testing Guide
• Vulnerabilities Database