Skip to content

Latest commit

 

History

History
75 lines (62 loc) · 2.96 KB

control-16.13.rst

File metadata and controls

75 lines (62 loc) · 2.96 KB
Raw

16.13: Conduct Application Penetration Testing

Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. 

Asset Type Security Function Implementation Groups
Applications Protect 3

Dependencies

  • Safeguard 2.1: Establish and Maintain a Software Inventory

Inputs

  1. GV5: Authorized Software Inventory
  2. Application Penetration Process for enterprise

Operations

  1. Determine whether Input 2 exists for the enterprise
    1. If the process exists, M1 = 1
    2. If the process does not exist, M1 = 0
  2. Use Input 1 GV5 to identify and enumerate all applications within the enterprise (M2)
  3. For each application identified in Operation 2, determine whether an unauthenticated penentration test has been conducted per the process outlined in Input 2
    1. Identify and enumerate applications that have been tested (M3)
    2. Identify and enumerate applications that have not been tested (M4)
  4. Use the output of Operation 2, identify and enumerate critical applications within the list of applications (M5)
  5. For each application identified in Operation 4, determine whether an authenticated penentration test has been conducted per the process outlined in Input 2
    1. Identify and enumerate applications that have been tested (M6)
    2. Identify and enumerate applications that have not been tested (M7)

Measures

  • M1 = Output of Operation 1
  • M2 = Count of applications within the enterprise
  • M3 = Count of applications that have undergone unauthenticated penetration testing per enterprise's process
  • M4 = Count of applications that have not undergone unauthenticated penetration testing per enterprise's process
  • M5 = Count of critical applications
  • M6 = Count of critical applications that have undergone authenticated penetration testing per enterprise's process
  • M7 = Count of critical applications that have not undergone authenticated penetration testing per enterprise's process

Metrics

  • If M1 is 0, this safeguard receives a failing score. The other metrics don't apply.

Unauthenticated Penetration Testing Coverage ^^^^^^^^^^^^^^^^^ .. list-table:

* - **Metric**
  - | The percentage of applications that underwent unauthenticated penetration 
    | testing per enterprise's process
* - **Calculation**
  - :code:`M3 / M2`

Authenticated Penetration Testing Coverage ^^^^^^^^^^^^^^^^^ .. list-table:

* - **Metric**
  - | The percentage of critical applications that underwent authenticated penetration 
    | testing per enterprise's process
* - **Calculation**
  - :code:`M6 / M5`