Web application vulnerabilities represent the largest portion of attack vectors outside of malware. It is crucial that any web application be assessed for vulnerabilities and that any vulnerabilities be fixed before deployment to production.

The purpose of this policy is to define the security assessments of web applications within DATAMIX.IO SAS. Web application assessments are performed to identify potential or realized weaknesses due to inadvertent misconfiguration, weak authentication, insufficient error handling, leakage of sensitive information, etc. The discovery and subsequent mitigation of these issues will limit the attack surface of DATAMIX.IO services available internally and externally as well as satisfy compliance with all relevant policies in place.

Methods implemented

• Protection against SQL injections (SQLi) and XSS (Cross-Site Scripting) vulnerabilities.
• Protection against visitors via proxies, VPN or TOR.
• Protection against spammers and spam bots targeting your content.
• Protection module that sanitises all incoming and outgoing requests and responses.
• Module that filters vulgarities, forbidden words, malicious links, toxic phrases and other undesirable content in real time.
• Integration with the best anti-spam databases (DNSBL) to protect your site from malicious visitors.
• Intelligent pattern recognition: detection of unknown / zero-day attacks and exploits.
• Industrial-grade algorithms: detection of known hacker attacks.
• Banning system: blocking/redirecting visitors/users (IP addresses), countries, IP ranges, operating systems, browsers, ISPs and referrers.
• Block the many bad bots and crawlers that waste your site's bandwidth.
• Protection against fake bots.
• Checking headers.
• Real-time analysis of all requests.

Scope

This policy covers all web application security assessments requested by any individual, group, or department for the purpose of maintaining the security posture, compliance, risk management, and change control of technologies used at DATAMIX.IO.

All web application security assessments will be performed by delegated security personnel either employed or contracted by DATAMIX.IO. All results are considered confidential and must be distributed to individuals on a "need to know" basis. Distribution of any findings outside of DATAMIX.IO is strictly prohibited unless approved by the Chief Technology Officer.

Any relationships within the multi-tiered applications found during the scoping phase will be included in the evaluation unless explicitly limited. Subsequent limitations and justifications will be documented prior to the start of the evaluation.

Security policy

1. Web applications are subject to security assessments based on the following criteria:

• New or major version of the application - will undergo a full evaluation prior to approval of change control documentation and/or release to the live environment.
• Third party or acquired web application - will be subject to a full evaluation, after which it will be bound to the policy requirements.
• Ad hoc releases - will be subject to an appropriate level of assessment based on the risk of changing the functionality and/or architecture of the application.
• Patch releases - will be appropriately assessed for the risk of changing the functionality and/or architecture of the application.
• Emergency Releases - An emergency release will be authorized to waive security assessments and assume the assumed risk until an appropriate assessment can be completed. Emergency releases will be designated as such by the Chief Information Officer or an appropriate manager to whom this authority has been delegated.

2. All safety issues that are discovered during assessments shall be mitigated according to the following risk levels. The risk levels are based on the PEMA risk assessment methodology. Corrective action validation testing will be required to validate the correction and/or mitigation strategies for any discovered issues of medium or higher risk levels.

• High - Any high-risk issues should be corrected immediately or other mitigation strategies should be put in place to limit exposure before deployment. Applications with high-risk issues may be taken offline or denied deployment in the live environment.
• Medium - Medium-risk issues should be reviewed to determine what is needed to mitigate them and scheduled accordingly. Medium risk applications may be taken offline or denied in the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be addressed as part of a patch or point release unless other mitigation strategies limit exposure.
• Low - The problem should be examined to determine what is needed to correct it and be programmed accordingly.

3. The following security assessment levels shall be established by the InfoSec organization or other designated organization that will perform the assessments.

• Complete - A full assessment includes testing for all known web application vulnerabilities using automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any discovered vulnerability.
• Quick - A rapid assessment will consist of a (typically) automated scan of an application for OWASP's top ten web application security risks, at a minimum.
• Targeted - A targeted assessment is performed to check for changes to fix vulnerabilities or new features in the application.

4. The currently approved web application security assessment tools that will be used for testing are:

• OWASP ZED ATTACK PROXY
• SECURITY GUARDIAN
• NMAP
• NESSUS
• CORE IMPACT

Other tools and/or techniques may be used depending on what is found in the defect assessment and the need to determine validity and risk are subject to the discretion of the safety engineering team.

Policy compliance

COMPLIANCE ACTION

Team Infosec will verify compliance with this policy through a variety of methods including, but not limited to, periodic audits, video surveillance, business tool reports, internal and external audits, and feedback to the policyholder.

EXCEPTIONS

Any exceptions to the policy must be approved in advance by the Infosec team.

NON-COMPLIANCE

An employee found in violation of this policy may be subject to disciplinary action up to and including termination of employment.

Evaluations of web applications are a requirement of the change control process and must adhere to this policy, unless it is determined that they are exempt. All application releases must go through the change control process. Any web application that does not comply with this policy may be taken offline until a formal assessment can be completed, at the discretion of the Chief Information Officer.

Related standards, policies and processes

• OWASP TOP TEN Project
• OWASP Testing Guide
• OWASP Mobile Security Testing Guide
• Vulnerabilities Database