Page 36 - info_oct_2021

Page 36 - info_oct_2021_draft13

P. 36

In Focus Comprehensive Security Detecting Web Infra
AVART Web Shells
Assessment Vulnerabilities

Comprehensive Security

Assessment

A proactive granular approach for

enhancing security

Comprehensive security assessment follows a steps clearly laid out in the test plan. It should
Comprehensive security layered approach, wherein it covers the assess- also include layered deliverables with delivera-
assessment follows a layered ment of all the in-line infrastructure components bles in each assessment step. The Components
(network devices, security devices, Server envi-
included in CSA scope are:
approach, wherein it covers the ronments and Mobile/web applications/APIs) to
ensure that all areas of threats, vulnerabilities All the below processes are taken up continu-
assessment of all the in-line and risks are identified and reported. ously in iterative mode till all the raised vulnera-
The CSA approach includes five key verticals ble issues are not mitigated. The CSA process pro-
infrastructure components that should be executed to assess the respective vides granular Security compliance assessment
Project portal strengths and weakness. mechanism that would help us to build a viable
(network devices, security The outline scope for Security Compliance test- and fool-proof security posture.
devices, Server environments ing process should be properly documented with
and Mobile/web applications/ The Business logic Process
Compliance check mainly involves The External facing Infrastructure
APIs) to ensure that all areas of Access Control checks ( as per ISO Assessment covers Configuration/
27001:2013), Checks for Out-of- Firewall Rules and Vulnerability
threats, vulnerabilities and risks bound processes Being used (like Assessment of in line Perimeter/
OTPs/password changes etc.), API Security Devices being in use by
are identified and reported. and Data Security Controls (Data respective Project portal. The
Privacy, Sensitive Data Handling Public IP Addresses/URLs are also
etc.),Audit Logs Check of complete taken up of Security Compliance
omprehensive Security Assessment (CSA) process workflow. This test also assessment
Audit is to carry out in depth analysis of focuses to ensure that Data
Cexisting Application, Web Infrastructure Security controls are properly in
threats and check for the existing built-in security place or not.
controls in the running Project portal. The CSA
further aims to trace hidden security issues, check
for strong access controls, assessment to prevent
Data breaches and recommends strong measures
for Data Security.

The Internal Infrastructure The Web/Mobile App/API/Web
Vulnerability Assessment of Services being used by the Project
internal Servers, Security and portal are also taken for Security
network devices is also taken for Compliance testing
Security Compliance testing. The Network and
Deployment Architecture
Rajesh Mishra
Scientist-F is reviewed for any
mrajesh@nic.in security gaps

36 informatics.nic.in
36 informatics.nic.in October 2021
October 2021

31 32 33 34 35 36 37 38 39 40 41