company_application_and_data_security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
company_application_and_data_security [2019/11/24 18:02] – [Organization of Risk & Information Security] lucy | company_application_and_data_security [2021/09/01 15:11] (current) – lucy | ||
---|---|---|---|
Line 178: | Line 178: | ||
| Do you regularly perform penetration tests on all systems relevant to your service? | yes | We use various web application vulnerability scanners and OS security auditing tools (Burp Suite, OpenVAS, Lynis, Nessus). Even though we've done our own human-based penetration tests in the past we do not perform human-based penetration assessment on a regular basis. | | | Do you regularly perform penetration tests on all systems relevant to your service? | yes | We use various web application vulnerability scanners and OS security auditing tools (Burp Suite, OpenVAS, Lynis, Nessus). Even though we've done our own human-based penetration tests in the past we do not perform human-based penetration assessment on a regular basis. | | ||
| How often are penetration tests done for the above scope (on average)? | yes | LUCY software is not a classic SaaS Plattform or Software. We do not perform penetration tests on client production instances. We release new Major updates of the software every 1-2 months, the software is mostly distributed as a virtual appliance (VMWare ESXi or Amazon image) and the process of automated penetration testing is tied to the release process - we perform such testing on the final stage of the release lifecycle. The set of application versions and software configurations of the version we are going to roll out exactly corresponds to the state of all systems after they migrate to the new version. For example, we are preparing version 5.0 for release and run penetration tests against it, within a virtual appliance. After all tests passed and all vulnerabilities are closed, we release the update, which is distributed over all existing software installations on different servers. All existing installations switch their state (install all required packages, remove old ones, change configuration, | | How often are penetration tests done for the above scope (on average)? | yes | LUCY software is not a classic SaaS Plattform or Software. We do not perform penetration tests on client production instances. We release new Major updates of the software every 1-2 months, the software is mostly distributed as a virtual appliance (VMWare ESXi or Amazon image) and the process of automated penetration testing is tied to the release process - we perform such testing on the final stage of the release lifecycle. The set of application versions and software configurations of the version we are going to roll out exactly corresponds to the state of all systems after they migrate to the new version. For example, we are preparing version 5.0 for release and run penetration tests against it, within a virtual appliance. After all tests passed and all vulnerabilities are closed, we release the update, which is distributed over all existing software installations on different servers. All existing installations switch their state (install all required packages, remove old ones, change configuration, | ||
+ | | On what standards does LUCY perform Penetration tests? | Yes| OSSTMM https:// | ||
==== Security incident detection and correlation ==== | ==== Security incident detection and correlation ==== | ||
Line 224: | Line 225: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Will you use tenant data for testing purposes? | no | | | + | | Will you use tenant data for testing purposes? | no | Using of tenant data is prohibited in test and development environments |
==== Data input and output validation ==== | ==== Data input and output validation ==== | ||
Line 236: | Line 237: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Has the provider a defined and documented method for coping with a business continuity situation? | no | The software has not mission criticality for the business | + | | Has the provider a defined and documented method for coping with a business continuity situation? | yes | There is a Business Continuity Plan | |
==== Plans and procedures ==== | ==== Plans and procedures ==== | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Has the provider implemented, | + | | Has the provider implemented, |
==== Data and production recovery ==== | ==== Data and production recovery ==== |
company_application_and_data_security.txt · Last modified: 2021/09/01 15:11 by lucy