SaFi Bank Space : Security Testing Guideline

 Overview

This guideline aims to standardize the test using OWASP web and mobile security testing guides.

Test Guidelines

1. Vulnerability and authenticated scan should be aligned with OWASP testing guide following the provided security testing checklists for web and mobile.

2. It should be performed only to locally built security testing environment by default. If security test is needed on staging and production, the timeline should be planned and agreed with other team.

3. The testing should be able to managed properly including scripts, test data, and payloads.

4. Test results, artifacts, and documentations should be encrypted.

5. Tool findings should be able to replicate manually in order to confirm the vulnerability.

6. Test result should properly document the reproducibility of the vulnerability.

7. Vulnerability assessment should be done using CVSS v3.1 and prioritized using Risk Assessments.

8. Test report should be sent after a complete test which includes the findings with vulnerability and risk assessments.

Vulnerability Reporting

Vulnerability report should have a comprehensive technical details including screenshots and artifacts (if needed) to support the remediation. Technical details should composed of:

• Vulnerability description

• Risk associated based on its impact

• Vulnerable feature, services, and/or ports

• Severity of the findings

• Sufficient details how it is reproduced, and

• Should have a recommendation to resolve the issue.

For more information, Vendor may follow the OWASP vulnerability reporting procedures.

Vulnerability Ticketing

Found vulnerabilities should be addressed through standard bug fix procedures. Each vulnerabilities will have unique Jira ticket to track the mitigation or remediation activities to address it.