Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Sow - VAPT Leadsqured

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

Indusface WAS

We Manage, We Secure, You Grow

SCOPE OF WORK VAPT -LEADSQURED

To
Anuraag Gorty Contact No. 9703904334

Leadsquared

Indusface Contact
Channdan Raath VP-SOUTH Mob:9741430712
Indusface
HQ: A/ 2-3, 3rd Floor, Status Plaza,
Opp Relish Resort, Atladara Old Padra
road,
Vadodara-390020, Gujarat
PRODUCT SUITES:

RISK PROTECTION:

• APPTRANA FOR WEBSITES & APPLICATIONS - WEB APPLICATION & API PROTECTION (WAAP)
PLATFORM WITH INTEGRATED SCANNER, WAF, DDOS & BOT MITIGATION SOLUTION AND WEBSITE
ACCELERATION THROUGH CDN

• APPTRANA FOR APIS -INDUSTRY’S FIRST RISK BASED API PROTECTION PLATFORM WITH INTEGRATED
API SCANNER, WAF, DDOS & BOT MITIGATION SOLUTION & DISCOVERY OF SHADOW APIS

• SSL CERTIFICATES - PUBLICLY TRUSTED DIGITAL CERTIFICATES FOR WEBSITES. POWERED BY ENTRUST
DATACARD

RISK DETCTION:

• INDUSFACE WAS FOR WEBSITES - DYNAMIC APPLICATION SECURITY TESTING (DAST)


PLATFORM FOR WEBSITE RISK ASSESSMENT

• INDUSFACE WAS FOR MOBILE APPLICATIONS - DYNAMIC APPLICATION SECURITY TESTING (DAST)
PLATFORMFOR MOBILE APP. RISK ASSESSMENT

• INDUSFACE WAS FOR API - DYNAMIC APPLICATION SECURITY TESTING (DAST) PLATFORM FOR API
RISK ASSESSMENT

1. SCOPE

Indusface WAS Advance provides continuous web application scanning to detect and report application
vulnerabilities. Offered as an independent SaaS product, it helps discover and manage OWASP top 10
vulnerabilities and malwares risks by reporting them consistently on our dashboard in real-time.

With blacklisting and defacement detection, it ensures that your public-facing application is not hacked and
damage brand reputation. Indusface WAS Advance is easy-to-deploy and covers multiple security demands
including vulnerability assessment, application auditing, and malware monitoring.

Indusface proposes Premium Plan of our solution Indusface WAS to <Company Name> for <x> applications.

FEATURES

Continuous Application Scanning

• Daily or on-demand web application scanning to detect vulnerabilities


• Comprehensive security assessment to get security posture of multiple web applications

1 www.indusface.com | Indusface,Confidential and Proprietary


Guided Scans:

• Guided Scans can be enabled to ensure automated scans reaches pages that other scans cannot. The
details will be collected by Indusface team as and when needed

Business Logic Vulnerability Checks

• Extensive manual penetration testing checks to discover application specific business logical
vulnerabilities

OWASP Top 10 Detection

• Efficiently detect most common application vulnerabilities validated by OWASP


• On-going addition and detection of new zero day vulnerabilities as they get uncovered

Zero False Positives

• Expert vetting of vulnerabilities ensures removal of any potential false positives that are found
through automated scanning

Malware Monitoring

• Ongoing monitoring of malware attack vectors and sophistication of newly discovered malware that
have been effectively used and deployed by hackers
• Also detects dead or inactive malware by monitoring external JavaScript and hidden iframes placed
on an application

Blacklisting Detection

• Ensures blacklisting tracking on popular search engines and other platforms


• External URL blacklisting check helps you to protect your customers from visiting “hacked” or
“infected” applications which can potentially transfer malware into your applications

Defacement Detection

• Indusface WAS Premium continuously checks your application changes and detects for possible
defacement changes
• Daily defacement checks protect the brand, credibility and reputation of an organization

Informative Dashboard

• Comprehensive synopsis of reported vulnerabilities and malware along with support options in
predefined report formats
• Customized reporting feature allows a user to create custom reports based on desired fields and
format

Authenticated Scans

• Scans behind authenticated pages is part of the scope. Authentication details should be provided
when the site is on-boarded

Managed by Security Experts

2 www.indusface.com | Indusface,Confidential and Proprietary


• Security experts mimic exploitations from real hackers to help identify risks in real-time
• Demonstration of business impact of vulnerabilities exploiting series of logical weaknesses within
application

VULNERABILITIES AND THREATS ADDRESSED

OWASP Top 10
OWASP 1 OWASP 5
SQL Injection Security misconfiguration (unused pages, unprotected files/folders ),
webserver and OS vulnerabilities

LDAP Injection Database error messages


OS commanding OWASP 6
Xquery Injection Insufficient transport layer protection
Xpath Injection Check for SSL certificate attributes
OWASP 2 OWASP 7
Session Management Insufficient Attack Protection, User logoff in case of any attack, Account
brute force
Privilege Escalation OWASP 8
Insufficient Session Expiration Cross-Site request forgery
OWASP 3 OWASP 9
Test for XSS Detection Known vulnerable framework and Library
OWASP 4 Check for vulnerable software modules, product CVEs
Path Traversal OWASP 10

Insecure Direct Object Secure Communication, API authentication, Data formats, Access control,
Reference Injection attack in API
Indusface Defined Checks
Password Auto-Complete Hidden iframe detection
Service enumeration Malicious file can be uploaded on the server
Port scanning Check HTTP Methods, Check for Cookie Attributes
Network device related Application specific vulnerabilities (SSH, POP, SMTP, SSH, FTP,etc)
vulnerabilities
Logical Checks
Abuse of Functionality Insufficient Anti-automation
Insufficient Authentication Email ids can be harvested for spamming
By Pass Authentication Insufficient password recovery
Insufficient process validation Application does not display last login time
Server side validation
Malware Monitoring
Malware infection detection to Malicious obfuscated javascript execution alert
application users
Suspicious activity(including Website blacklisting status as reported by Google, Mcafee, Norton,
Zero day) happening on the Phishtank etc.
application
Application redirects user to Website defacement detection
blacklisted URL

3 www.indusface.com | Indusface,Confidential and Proprietary


Application specific business logic checks

Application specific business logical checks are carried out by security experts. These experts shall
undergo a walkthrough of the web application to understand various threat scenarios and functionality of
the application before a business logic test can be performed.

4 www.indusface.com | Indusface,Confidential and Proprietary

You might also like