2. Topics
▪ ITG Services Offered
▪ Services Explained
▪ Web Site & Web Application
▪ Server: Internal Vulnerability Assessment
▪ White-Box, Grey-Box & Black-Box
▪ Network Device
▪ Mobile Application – Vulnerability Assessment
▪ General IS Audit
▪ Questionaries for Customer Engagement
▪ Standard Technical Proposal Format for different ITG Services
3. ITG Services Offered
▪ End to end IT Infrastructure Audit
▪ Application Functional / Security Audit including Mobile Apps.
▪ Network Security Audit including wireless security
▪ Gap Analysis for iSO 27001-2013
▪ Consultancy for implementation of iSO 27001-2013
▪ Business Continuity ? DR Plan process Audit
▪ Business Impact Analysis
▪ CTCL Audits
▪ Process Audits
▪ Data Centre Audits
▪ VAPT Services
▪ Website Security audits
▪ STQC Audits include application security, VAPT, Audit as per CVC Guidelines, ISO 27001
4. Application Security / Functionality Audits
▪ Different Types of applications
▪ Non-web based
▪ Web based
▪ Mobile based
▪ Non web based are like Finacle at present. Done with manual methods
▪ Web based like internet Banking
▪ Mobile based like mobile banking
▪ Except non web all require the methodology of VAPT from tools apart from
manual methods.
5. Standards / bench marks used
▪ ISO 27001-2013
▪ COBIT
▪ OWASP Top 10 vulnerabilities
▪ Mobile OWASP Guidelines
▪ CIS Bench Marks
7. Web Application (DYNAMIC)
A web application is defined by its interaction with
the user. It depends on interaction and requires
programmatic user input and data processing.
For example: Mail, Search Engine,
Login – based application.
8. Web Application - Example
Login Application Internet Banking App. Mail / Chat App. E-Commerce App. E-Tendering App.
9. Website (usually STATIC)
A website is defined by its content. It can
plausibly consist of a static content repository
that's dealt out to all visitors.
For example: News site, Informational portal.
15. Internal VAPT
Servers and network devices are the
components of Internal VAPT Exercise.
We can do internal VA at Client Location or
through VPN Access
We require Admin credentials for thorough
vulnerability assessment of the scope
device.
Configuration files are analysed in network
Device VA.
Nessus tool is used apart from other open
source tools such as Nmap.