Overview
This guideline aims to standardize the test using OWASP web and mobile security testing guides.
Test Guidelines
Vulnerability and authenticated scan should be aligned with OWASP testing guide following the provided security testing checklists for web and mobile.
It should be performed only to locally built security testing environment by default. If security test is needed on staging and production, the timeline should be planned and agreed with other team.
The testing should be able to managed properly including scripts, test data, and payloads.
Test results, artifacts, and documentations should be encrypted.
Tool findings should be able to replicate manually in order to confirm the vulnerability.
Test result should properly document the reproducibility of the vulnerability.
Vulnerability assessment should be done using CVSS v3.1 and prioritized using Risk Assessments.
Test report should be sent after a complete test which includes the findings with vulnerability and risk assessments.
Vulnerability Reporting
Vulnerability report should have a comprehensive technical details including screenshots and artifacts (if needed) to support the remediation. Technical details should composed of:
Vulnerability description
Risk associated based on its impact
Vulnerable feature, services, and/or ports
Severity of the findings
Sufficient details how it is reproduced, and
Should have a recommendation to resolve the issue.
For more information, Vendor may follow the OWASP vulnerability reporting procedures.
Vulnerability Ticketing
Found vulnerabilities should be addressed through standard bug fix procedures. Each vulnerabilities will have unique Jira ticket to track the mitigation or remediation activities to address it.
Attachments:
Screen Shot 2022-09-08 at 2.50.37 PM.png (image/png)
Screen Shot 2022-09-08 at 5.42.36 PM.png (image/png)