The Policy Explained

Foster Moore’s core business is registry software. The various regulatory and government bodies that use this software need to do so in the knowledge that it is secure.

To maintain our status and reputation as the leading experts in this field Foster Moore gives serious consideration to the security of our product. We make it clear to our clients on Verne security policies, how we identify vulnerabilities in the product, and how often and when do we check the product. Additionally, we define how we communicate these vulnerabilities to our clients, and what do we do about vulnerabilities when discovered.

This policy is not intended to supersede or negate the need for a client to obtain a third party to do an independent security and vulnerability penetration test. Indeed it is our opinion that given the environmental variables that are unique to each client this should always be done. Our policy is about establishing the first line of defense – making sure that we are developing and configuring in a secure manner before we ship Verne to our clients.

How It Is Implemented?

Tools and Resources

Foster Moore currently uses the following organisations and their products to test the security of Verne.

Qualys

Qualys, Inc. is a provider of cloud security, compliance, and related services for small and medium-sized businesses and large corporations based in Redwood Shores, California. Founded in 1999, Qualys was the first company to deliver vulnerability management solutions as applications through the web using a "software as a service" (SaaS) model, and as of 2013 Gartner Group for the fifth time gave Qualys a "Strong Positive" rating for these services. It has added cloud-based compliance and web application security offerings.

Qualys has over 7,700 customers in more than 100 countries, including a majority of the Forbes Global 100. The company has strategic partnerships with major managed services providers and consulting organisations including BT, Dell SecureWorks, Fujitsu, IBM, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA).

Tools that it offers to test and ensure security include:

  • FreeScan – provides the ability to scan your network, servers, desktops or web apps for security vulnerabilities;
  • BroswerCheck – performs an audit of Browser, Plugin, OS & Security Updates to ensure that your system is up to date.
  • Top 4 Security Controls – enables an organisation to verify if their Windows PCs are implementing the 4 controls that typically prevent 85% of the cyber attack techniques: –
    • Application Whitelisting;
    • Application Patching;
    • OS Patching;
    • Management and minimizing Administrative Access.
  • SSL Secure Web Test – checks whether your SSL website is properly configured for strong security and if it is vulnerable to Heartbleed.
  • OWASP – Tests web apps’ defenses against top OWASP-rated risks.
  • SCAP – Tests computers against security configuration benchmarks required by US federal government agencies.

Tenable Network Security

Tenable Network Security is a developer of vulnerability detection systems. Tenable Network Security is an American network security company, headquartered in Maryland, the United States of America with additional offices in the United Kingdom, and Singapore. The company’s products provide network vulnerability scanning for over 75,000+ organisations worldwide. Tenable Network Security products have been granted vulnerability detection certifications by multiple entities including Payment Card Industry Data Security Standard, Common Criteria Evaluation and Validation Scheme Center for Internet Security, and National Institute of Standards and Technology. The United States Department of Defense has standardised the security of their networks by using products made by Tenable Network Security.

Tools that it offers to test and ensure security include:

  • Nessus – a proprietary comprehensive vulnerability scanner, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer connected to a network.  It does this by running over 1200 checks on a given computer, testing to see if any of these attacks could be used to break into the computer or otherwise harm it. 

Open Web Application Security Project (OWASP)

The Open Web Application Security Project is an online community that creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Tools that it provides to test and ensure security include:

  • OWASP ZapProxy – is an open-source web application security scanner. It is comprehensively by professional penetration testers. It is one of the most active OWASP projects and has been given Flagship status. It is also fully internationalised and is being translated into over 25 languages. Some of the built-in features include: Intercepting proxy server, Traditional and AJAX Web crawlers, Automated scanner, Passive scanner, Forced browsing, Fuzzer, WebSocket support, Scripting languages, and Plug-n-Hack support.

Techniques and Processes

The technique we use is based on the Penetration Testing Framework, which is outlined at http://www.vulnerabilityassessment.co.uk/

This is a complete technical blueprint for penetration-testing, published by a UK-based security assessment company. There are many tools and techniques outlined, and include:

  • nmap;
  • WireShark;
  • Burp Suite;
  • Hydra;
  • john;
  • javasnoop;
  • The BeEF framework.

It also recommends and contains many links to articles explaining how to understand, identify and resolve OWASP Top 10 vulnerabilities, such as SQL Injection, CSRF and XSS.

What Level of Protection Is Attempted?

It is widely accepted that the area of security vulnerability is constantly fluid. For every tool that is developed to close a security hole, there are new malicious attempts to exploit other weaknesses in security. As technology advances, each advance provides an opportunity for malicious exploitation. Accordingly, Foster Moore monitors and addresses the OWASP Top 10. Our goal is to find and resolve all of the OWASP Top 10 vulnerabilities which may be present in Verne.

It is our philosophy that reaching and maintaining this security posture represents a level of security that is recognised as acceptable, and position us well in any security-related discussions with clients.

Information on the OWASP TOP 10 can be found at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

When are Tests Conducted and How Often?

Foster Moore conducts security tests of all major iterations of Verne, after a Core software upgrade, and when significant new functionality is added to the Verne product.

Where Are The Results Recorded?

If a vulnerability is discovered during either Foster Moore security testing or as a result of a Client’s independent security and penetration test, then a Verne Vulnerability issue will be raised in the Verne Security and Vulnerability Register – one for each unique vulnerability discovered. These issues are sorted by the Verne Version that they are found in.

What is Foster Moore’s Resolution Policy?

Foster Moore will fix all Critical and High vulnerabilities as soon as it is practicable. Medium and Low-level vulnerabilities will be assessed on a case-by-case basis and agreement with the client will be made to either ‘Resolve’ or ‘Accept and Monitor’. Upgrades and patches to the Verne product will be made available in accordance with the Verne Support and Maintenance Policy.

0
0
Previous
The Verne® Release and Version Management Policy
Next
Support & Maintenance Policy

Jump to Section