Web Application Testing Outline of Services
Company Confidential - © RandomStorm Limited 2010
Page 1 of 10
Disclaimer
All the information, representations, statements, opinions and proposals in this document are correct and accurate to the
best of our present knowledge.The information contained herein has been prepared on the basis that the agreement
entered into between the parties as a result of further negotiations will be based on RandomStorm Standard Terms and
Conditions.
If not otherwise expressly governed by the terms of a written confidentiality agreement executed by the parties, this report
contains information which is confidential to RandomStorm and Company X. Disclosures may not take place without the
prior written consent of Company X.
Company Confidential - © RandomStorm Limited 2010
Page 2 of 10
Disclaimer
Proposal Contents
Company Information!
4
Customer References!
4
Private Sector!
4
Public Sector!
4
Payment Card Industry Accredited Scanning Vendor (Client ASV)!
5
Payment Card Industry Qualified Security Assessor (QSA)!
5
CESG CHECK!
5
Web Application Testing!
8
Introduction!
10
Risk Categorisation!
10
Company Confidential - © RandomStorm Limited 2010
Page 3 of 10
RandomStorm Overview
RandomStorm has rapidly become one of the UKʼs leading network security management companies having developed
an integrated suite of products and services designed to enable businesses to monitor and manage the security of their
IT networks. Established in 2006, RandomStorm has a growing national and international customer base including major
enterprises and local government organisations and is an Approved Security Vendor under the Payment Card
Industryʼs Client compliance initiative.
Based in Leeds, United Kingdom, RandomStorm focusses on providing enterprise level, proactive security management
services and tools. The company's core services include professional security testing (CHECK/TIGER Scheme
ACCREDITED), vulnerability scanning and intrusion detection. RandomStorm services are delivered by a dedicated inhouse team lead by Andrew Mason. Andrew is an industry leading security professional and noted author. Both iStorm
and xStorm are RandomStorm products, manufactured in Leeds that provide an affordable business class vulnerability
scanning and intrusion detection solutions.
RandomStorm prides itself on providing a best in class, flexible service for an affordable price. RandomStormʼs
provides services across many vertical sectors. Some of note include:
Company Information
Company Name
RandomStorm Limited
Registered Trading Address
4 Cromwell Office Park, York Road, Wetherby,
West Yorkshire , LS22 7SU, United Kingdom
Telephone
0845 643 0995
Fax
0845 643 0996
Web URL
http://www.randomstorm.com
Company Registration Number
6229788
VAT Registration Number
GB 918 1592 11
Customer References
Private Sector
eBuyer, Arsenal Football Club, Bolton Wanderers, Sunderland Football Club, Reading Football Club, Fulham Football
Club, Professional Golfers Association, Lords Cricket, New Look, O2 Arena, Telecity, Phones International, NoChex,
Truphone, Juno Records, Redcats PLC, Mirada Television, Truphone, British Midland International, GB Oils, Yorkshire Air
Ambulance, Orange, Bank of Jordan, National Theatre. plus many more......
Public Sector
Ministry of Justice, British Library, Amber Valley Council, Harrogate Council, North East Lincolnshire Council , North
Lincolnshire Council , Costwold Council, Tewkesbury Council, Havant Borough, Wokingham Borough Council , Dover
District Council, Stroud District Council, Gloucestershire City Council, Forest of Deane Council, South Somerset Council,
Exteter City Council, Renfrewshire Council, Rossendale Council, Lancaster City Council plus many more.....
Company Confidential - © RandomStorm Limited 2010
Page 4 of 10
Payment Card Industry Accredited Scanning Vendor (Client ASV)
All companies that process and store customer payment card transactions are required to maintain their network security
in accordance with the detailed specifications mandated under the Payment Card Industry
data security standard (Client DSS). Failure to demonstrate compliance can result in
severe restrictions being placed on merchants by the card issuers, including the ultimate
sanction of withdrawal of card authorisation facilities.
RandomStorm is one of a select group of approved scanning vendors (ASV) certified by
the Client to carry out the periodic scans of the merchant network to identify any critical
vulnerabilities and to perform the necessary penetration tests needed to prove the integrity
of the corporate IT infrastructure.
Payment Card Industry Qualified Security Assessor (QSA)
RandomStorm is one of a select group of Qualified Security Assessors (QSA) certified to
audit networks on behalf of the PCI council.
RandomStorm deliver expert technical advice and guidance on PCIDSS compliance.
RandomStorm consultants advise on the scope and segmentation of the PCI DSS
environment to minimise the cost and effort needed for compliance whilst delivering the
functionality needed to meet compliance.
CESG CHECK
CESG is the national authority responsible for information assurance. The IT Health Check Service, or CHECK, was
developed to enhance the availability and quality of the IT health check services that are provided to government in line
with HMG policy. In order to achieve CHECK accreditation consultants are put through rigorous practical examinations
and measured against the highest technical standards set by CESG. RandomStorm are
an accredited CHECK organisation.
Company Confidential - © RandomStorm Limited 2010
Page 5 of 10
Private Sector References
RandomStorm has over 480 clients covering a wide range of sectors, industries and vertical markets. These include but
are not limited to Finance, Utilities, Retail, Central Government, Commercial Services and Media. International markets
include, USA, Europe, Jordan, Syria, UAE, Romania, Estonia, Germany and France.
Company Confidential - © RandomStorm Limited 2010
Page 6 of 10
Public Sector References
RandomStorm has been supplying security services to local authorities for over 9 years. Currently RandomStorm
supplies services to over 22% of local authorities in the United Kingdom.
Company Confidential - © RandomStorm Limited 2010
Page 7 of 10
Web Application Testing
Web Application
Assessment
In this assessment the web site is mapped, mirrored and then inspected for application
vulnerabilities. The application testing followed the OWASP application testing
g u i d e l i n e s t h a t c a n b e f o u n d a t - h t t p : / / w w w. o w a s p . o r g / i n d e x . p h p /
Category:OWASP_Testing_Project
The aim is to identify all vulnerable parts of the web application. The assessment will be
conducted centrally via the RandomStorm data centre.
The assessment of Web Applications looks to assess application functions to determine
the security posture of those applications. The following is a list of common
vulnerabilities - some can be included in automated testing, and others require by their
nature an understanding of the logic behind the network and the network infrastructure
itself.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cross site scripting
Reflected Cross Site Scripting
Stored Cross Site Scripting
DOM based Cross Site Scripting
Cross Site Flashing
SQL Injection
LDAP Injection
ORM Injection
XML Injection
SSI Injection
XPath Injection
IMAP/SMTP Injection
Code Injection
OS Commanding
Buffer overflow Testing
Heap overflow
Stack overflow
Format string
!"#$%&'(%&))*+,#$+-.%/(,0'+$1%2+3435
!""#$%&'()$#*)+,"&*"-#../)0(&)1#*/)2-33&'&*")+#"4()"4',054)/,0')#++.-$#"-,*)",)2,)4#'1)",)/,0')60(-*&((7)8#$4),3)"4&(&)+#"4()
'&+'&(&*"()#)'-(%)"4#")1#/),')1#/)*,")6&)(&'-,0()&*,054)",)9#''#*")#""&*"-,*7
6"'(#$
&7(.$3
&$$#,4
@(,$-'3
&$$#,4
/(,0'+$1
!(#4.(33(3
/(,0'+$1
C-.$'-*3
!(#4.(33
C-.$'-*
6(,".+,#*
89)#,$3
A03+.(33
89)#,$3
89)#,$
&33($
&$$#,4
!(#4.(33
89)#,$
C-.$'-*
B0.,$+-.
&$$#,4
!(#4.(33
89)#,$
&33($
!(#4.(33
C-.$'-*
:,1&"-1&(;)"4&(&)+#"4()#'&)"'-<-#.)",)3-*2)#*2)&=+.,-")#*2)(,1&"-1&()"4&/)#'&)&="'&1&./)2-33-$0."7):-1-.#'./;)"4&)4#'1)"4#")-()
$#0(&2)1#/)'#*5&)3',1)*,"4-*5)#..)"4&)9#/)"4',054)+0""-*5)/,0),0"),3)60(-*&((7)>,)2&"&'1-*&)"4&)'-(%)",)/,0'),'5#*-?#"-,*;)/,0)
$#*)&<#.0#"&)"4&).-%&.-4,,2)#((,$-#"&2)9-"4)"4&)"4'&#")#5&*";)#""#$%)<&$",';)#*2)(&$0'-"/)9&#%*&(()#*2)$,16-*&)-")9-"4)#*)
&("-1#"&),3)"4&)"&$4*-$#.)#*2)60(-*&(()-1+#$")",)/,0'),'5#*-?#"-,*7))>,5&"4&';)"4&(&)3#$",'()2&"&'1-*&)"4&),<&'#..)'-(%7
Company Confidential - © RandomStorm Limited 2010
Page 8 of 10
WebStorm Service
Provision
(External Automated Web
Application Vulnerability
Scanning)
What is WebStorm? WebStorm is a Software as a Service (SaaS) black-box web
application security testing platform.
WebStorm can find and report technical and business logic security issues such as SQL
injection and Cross Site Scripting as well as finding email addresses and that long
forgotten about test page. Exploitation of these vulnerabilities can lead to major impact
on business operation.
What vulnerabilities does WebStorm find? WebStorm not only searches for unknown
vulnerabilities within your bespoke web application but also searches for known
vulnerabilities which are being actively exploited by black hat hackers.
Cross Site Scripting (XSS) WebStorm uses a variation of different payloads to detect
both stored and reflected Cross Site Scripting vulnerabilities whether the vulnerability is
in a form, the URL or a Cookie. SQL injection (SQLi) SQL injection can lead to full operating system and network
compromise which can be especially devastating to a business. WebStorm detects error
based SQL injection by using a variation of different techniques.
Local File Inclusion (LFI) WebStorm can detect local file inclusion vulnerabilities within
your web application no matter what operating system is used.
Information Leakage Web applications and misconfigured servers often unintentionally
leak sensitive information which an attacker can use to further facilitate an attack.
WebStorm finds these before the black hat hackers do.
Known Vulnerabilities As well as finding unknown vulnerabilities within your web
application, WebStorm also finds vulnerabilities which are already known to the black
hat hackers. This list is constantly updated by the RandomStorm internal research team.
Reporting WebStorm will create a custom report for every scan, the report will include a
summary of the scan, management summary, technical summary, in-depth vulnerability
analysis and much more.
One feature weʼre especially proud of the ability to include screenshots of each
vulnerability within the report. As far as we know we are the first to include this feature
within vulnerability reports.
Security Help Desk
Provision
RandomStorm provide a managed service support desk.
The support desk is design to allow managed service customers to ask questions
relating to security events triggered by the managed service platform. Help Desk tickets
are raised and responded to via a secure online portal.
Company Confidential - © RandomStorm Limited 2010
Page 9 of 10
RandomStorm Reports
Introduction
RandomStorm provide a clear and concise hand written report.
Each report is created following a industry standard format
designed to allow the reader to gain the maximum benefit from
the assessment findings. The report includes a management
summary and also provides extremely detailed analysis of
each host tested.
Against each host RandomStorm record the following
information.
✓All identified services
✓Screen shots identifying the place where the vulnerability
was discovered
✓How the vulnerability was exploited
✓Privilege Escalation details
✓What data was visible once the host had been compromised.
✓Consultant Recommendations and remedial advice
Risk Categorisation
RandomStorm use a three tier severity model. The model
maps itself onto the Common Vulnerability Scoring System
(CVSS) version 2.0.
The Common Vulnerability Scoring System (CVSS) provides
an open framework for communicating the characteristics
and impacts of IT vulnerabilities. Its quantitative model
ensures repeatable accurate measurement while enabling
users to see the underlying vulnerability characteristics that
were used to generate the scores. Thus, CVSS is well suited
as a standard measurement system for industries,
organisations, and governments that need accurate and
consistent vulnerability impact scores. Two common uses of
CVSS are prioritisation of vulnerability remediation activities
and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD)
provides CVSS scores for almost all known vulnerabilities.
The three tiers of the RandomStorm model are HIGH, MEDIUM, and LOW. Entries marked as INFO provide information
that was obtained during the assessment. The RandomStorm tiers map to the CVSS Base Score as shown below.
RandomStorm Severity
Scan Results
CVSS v2.0 Base Score
HIGH
FAIL
7.0 to 10.0
MEDIUM
FAIL
4.0 to 6.9
LOW
PASS
0.0 to 3.9
INFO
N/A
n/a
In the case that a CVSS v2.0 Base Score is not available, and where appropriate, the CVSS v2 Calculator is used to
create the CVSS Base Score. In order for the component to be classed as compliant under the PCI guidelines, it has to
have no MEDIUM or HIGH vulnerabilities. For global compliance, the merchant must not have any individual components
that fail compliance.
Company Confidential - © RandomStorm Limited 2010
Page 10 of 10