Enterprise Application - Test Plan Criteria
Following are the test criteria that Enterprise applications have to meet in order to be issued the SI Tested seal. Enterprise applications fall into two classifications:
- Client/Server. An application that consists of multiple components at least one of which is on a client machine and one of which is on a server machine with components communicating with each other over a network.
- Web. An application delivered to users over the internet via a web server and a web browser.
Scope of Assessment
Our assessment focuses on the immediate application under test and
its environment. Items out of scope for this assessment include, but
are not limited to, the following:
 |
Backend systems |
|
|
Physical security of the customer site, servers, firewall configuration etc |
|
|
Effectiveness of failover or redundant systems, power protection, etc. |
|
|
Protection from insider threats from employees or others with physical or electronic access |
|
|
Review of internal IT security policy |
|
|
Social engineering, industrial espionage, etc. |
|
|
Review of documentation/requirements for compliance with laws, standards or certification programs |
Enterprise - Web Application Criteria
| 1.0 Authorization | |
| SUMMARY: Verify that the authorization
mechanism is not subject to attacks aimed at bypassing it.
|
|
| U1. Server-side authorization checks
are performed for each server resource that is accessed U2. Security decisions are not based on client-side validation |
|
| 2.0 Cryptography | |
| SUMMARY: Verify that cryptography is well implemented. | |
| C1. Industry standard cryptographic
methods are used C2. Sufficient key length is used |
|
| 3.0 Data Access | |
| SUMMARY: Verify that strong data access controls are in place. | |
| D1. Connection strings conform to the
least privilege principle D2. The application protects data from malicious modification D3. The application protects data from being disclosed to unauthorized users |
|
| 4.0 Error Handling | |
| SUMMARY: Verify error messages do not reveal confidential information | |
| E1. Error messages don’t contain
internal application details |
|
| 5.0 Logging | |
| SUMMARY: Verify that logging is performed and is not subject to attacks aimed at altering the logging functionality. | |
| L1. The application restrict users
from interacting directly with the logging framework L2. The application must be protected against attacks aimed at deceiving the logging framework into attributing actions to other users. L3. The application must be protected against attacks aimed at modifying the behavior of the logging functionality via abnormal input. L4. The application is protected against Denial of Service attacks performed using repeated actions to fill server log files L5. The application logs enough appropriate data to detect and deconstruct an attack against the system L6. Logs do not contain sensitive data L7. The logging framework is appropriately protected to prevent logs from being stolen or modified |
|
| 6.0 Input & Data Validation | |
| SUMMARY: Verify Input/Output is validated properly and securely | |
| I1. All user input is validated for
type, length, format and range I2. All input is properly encoded before being echoed back to the user I3. User supplied filename and path input is filtered I4. Client side validation is not relied upon |
|
| 7.0 Sensitive Data | |
| SUMMARY: Verify sensitive data is stored and encrypted properly. | |
| S1. Sensitive data is stored with
great care S2. Sensitive data is encrypted before being sent on the network |
|
| 8.0 Session Management | |
| SUMMARY: Verify tokens are formatted and sent securely. | |
| M1. Authentication tokens are
transmitted over a secure connection M2. Authentication tokens are not predictable |
|
Enterprise - Client/Server Application Criteria
| 1.0 Authentication | |
| SUMMARY: Verify that the authentication mechanism is not subject to attacks aimed at bypassing it. | |
| A1. User cannot elevate privileges with malformed
input A2. Passwords are stored securely A3. User identity is verified before resetting a password A4. Predefined passwords are unique and require reset A5. Only administrators can add, modify or delete user IDs A6. Lockouts are enforced with a limited duration A7. Strong passwords are enforced A8. Password renewal is enforced A9. Error pages do not give away usernames A10. SSL/TLS is used when transmitting credentials |
|
| 2.0 Authorization | |
| SUMMARY: Verify that the authorization mechanism is not subject to attacks aimed at bypassing it. | |
| U1. Server-side authorization checks
are performed for each server resource that is accessed U2. Security decisions are not based on client-side validation |
|
| 3.0 Cryptography | |
| SUMMARY: Verify that cryptography is well implemented. | |
| C1. Industry standard cryptographic
methods are used C2. Sufficient key length is used |
|
| 4.0 Data Access | |
| SUMMARY: Verify that the authorization mechanism is not subject to attacks aimed at bypassing it. | |
| D1. Database accounts conform to
principle of least privilege D2. The application protects data from malicious modification D3. The application protects data from being disclosed to unauthorized users D4. Connection strings are stored securely |
|
| 5.0 Error Handling | |
| SUMMARY: Verify error messages do not reveal confidential information | |
| E1. Error messages don’t contain
internal application details |
|
| 6.0 Logging | |
| SUMMARY: Verify that logging is performed and is not subject to attacks aimed at altering the logging functionality. | |
| L1. The application restrict users
from interacting directly with the logging framework L2. The application must be protected against attacks aimed at deceiving the logging framework into attributing actions to other users. L3. The application must be protected against attacks aimed at modifying the behavior of the logging functionality via abnormal input. L4. The application is protected against Denial of Service attacks performed using repeated actions to fill server log files L5. Logs do not contain sensitive data L6. The logging framework is appropriately protected to prevent logs from being stolen or modifiedd |
|
| 7.0 Input & Data Validation | |
| SUMMARY: Verify Input/Output is validated properly and securely | |
| I1. All user input is validated for
type, length, format and range I2. All input is properly encoded before being echoed back to the user I3. User supplied filename and path input is filtered I4. Client side validation is not relied upon |
|
| 8.0 Sensitive Data | |
| SUMMARY: Verify sensitive data is stored and encrypted properly. | |
| S1. Sensitive data is encrypted before
being stored on the local machine S2. Sensitive data is encrypted before being sent on the network S3. Sensitive data is encrypted in the database S4. Log files do not contain sensitive information |
|
| 9.0 Session Management | |
| SUMMARY: Verify tokens are formatted and sent securely. | |
| M1. Authentication tokens are
transmitted over a secure connection M2. Authentication tokens are not predictable |
|
