Last Update Status: Updated June 2021
Web application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that any web application be assessed for vulnerabilities and any vulnerabilities be remediated prior to production deployment.
The purpose of this policy is to define web application security assessments within FarmboxRX. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of FarmboxRX services available both internally and externally as well as satisfy compliance with any relevant policies in place.
This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at FarmboxRX.
All web application security assessments will be performed by delegated security personnel either employed or contracted by FarmboxRX. All findings are considered confidential and are to be distributed to persons on a "need to know" basis. Distribution of any findings outside of FarmboxRX is strictly prohibited unless approved by the Chief Information Officer.
Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.
4.1 Web applications are subject to security assessments based on the following criteria:
4.2 All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
4.3 The following security assessment levels shall be established by the InfoSec organization or other designated organization that will be performing the assessments.
4.4 The current approved web application security assessment tools in use which will be used for testing are:
Other tools and/or techniques may be used depending upon what is found in the default assessment and the need to determine validity and risk are subject to the discretion of the Security Engineering team.
5.1 Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Infosec team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt. All application releases must pass through the change control process. Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Chief Information Officer.
OWASP Top Ten Project
OWASP Testing Guide
OWASP Risk Rating Methodology
|Date of Change||Responsible||Summary of Change|
|June 2021||FarmboxRX||Updated and converted to new format.|