G-Cloud IV Framework
Service Definition
Table of contents
1.
Scope of our services ... 3
2.
Approach ... 4
a.
HealthCheck Application Scan... 4
b.
Bronze Application Scan ... 4
c.
Silver Application Scan... 4
d.
Gold Application Scan ... 5
3.
Assets and tools ... 6
4.
Expected Outcomes ... 6
5.
Pricing ... 7
6.
Contacts ... 8
1. Scope of our services
This document describes Accenture’s Web Application Security Scanning as a Service, and should be read in conjunction with the associated Government Cloud IV Services documentation. The service is provided through the Accenture Cloud Platform (ACP), providing enterprise-ready cloud services for clients. ACP is described in more detail within Accenture’s IaaS Services.
The Web Application Security Scanning as a Service is a real‐time, cloud-driven solution that inspects an application's security posture to discover vulnerabilities.
The service helps clients to request an on-demand security review of their Internet-facing web applications at any point in the development, testing or production processes.
Customers subscribe to a scanning package for specific applications, with each package consisting of security tests with selectable testing depth, frequency and results analysis.
Our service assists customers through tasks ranging from running the application scans to understanding the vulnerabilities, as well as remediation options and implementation support.
The service includes the following features:
On-demand initiation of web application scanning for entire application portfolio, with scanning choices to
match different risk levels and compliance requirements
Best in class automated application security scanning, powered by Cenzic, an Enterprise class provider of
Dynamic Application Security Testing products
Accenture's Assisted scanning provides dedicated support for scan execution and reporting by skilled threat and
vulnerability management practitioners
Accenture's Advanced support option offers false positives removal as well as security strategy, architecture,
planning and remediation assistance
Regularly performing automated web application security assessments is considered an initial step towards an increased application security confidence. To complement this, Accenture offers a comprehensive set of one-off application and infrastructure security testing services
Accenture’s experience of delivering Security Services for clients globally has been streamlined into a recommended operating model called Threat and Vulnerability Management Capability. This TVM capability offers a complete spectrum of services that can be adapted to fit and build on the security maturity of any organisation. These optional services include:
Vulnerability Scanning
Security Reviews in the Software Delivery Lifecycle
Source code analysis
Penetration testing
Configuration review
Furthermore, Accenture also provides a set of Managed Services that complement the Web Application Security as a Service Model, such as:
Application Security Operations
Security monitoring and reporting
Infrastructure Security Management
IT Risk and Compliance
User and Identity Administration
2. Approach
Accenture delivers TVM services based on a standardised, common method. This helps confirm efficiency, repeatability and solid delivery whether you want to implement or operate a Capability or run an independent assessment.
Accenture’s TVM assessments allow clients to configure a custom package depending on the required scope. Various engagement levels are available depending on the threat environment and risk profile of the assets to be tested. This service allows users to perform security vulnerability assessment scans against web applications. Each application requires its own subscription, which allows flexibility in the assessment depth and level of support provided. Accenture Cloud Platform (ACP) clients can select from several different options.
Application Scans
The cornerstone of the service is comprised of four types of subscriptions differentiated by the depth of testing and type of applications covered. Each subscription option provides services focusing on scan coverage, typical usage and the associated benefits.
a. HealthCheck Application Scan
The Healthcheck Application Scan helps the client to assess the security posture immediately and at no charge by checking for a limited number of application related vulnerabilities. This service should be leveraged as the initial step towards a stronger security posture with no capital investment required. The scan should be applied to all applications regardless of their business criticality or operational importance.
b. Bronze Application Scan
The Bronze Application Scan focuses purely on basic vulnerabilities most often exploited by hackers in relation to the running application. However, web server configuration vulnerability checks are limited with this service. The results will provide greater insight into website security posture and how much effort needs to be
completed in order to improve web application security. The scan may be applied to every application regardless of its business criticality or operational importance.
c. Silver Application Scan
The Silver Application Scan is a more robust website test that finds the most common defects that lead to a data breach and brand damage and also focuses extensively on web server vulnerability checks. The result of a Silver Application Scan will provide more insight into web server configuration aspects as well as web
d. Gold Application Scan
The Gold Application Scan is a comprehensive service combining tests from both the Bronze Application and Silver Application Scan. Also, there are additional evaluations regarding input validation, credentials handling and transmission and checks to uncover potential areas for application data leakage. The results of the Gold Application Scan will provide a comprehensive information an automated scanning tool can deliver and will help the client to receive a final report in a PCI 6.6 or OWASP Top 10 2010 compliant reporting format. This is critical for clients where PCI or OWASP standard compliance is required. The Gold Application Scan as part of our scanning solution is on the list of officially approved PCI scanning approaches. The Gold scan should be applied for web applications with content that already has significant value for the company.
Figure 1 – Subscription applicability pyramid
% of Vulnerabilities and Application tested – Depicts the coverage/amount of vulnerability checks and extent to which the application is tested Risk – Depicts the risk for the company if a particular application gets compromised
Application Security Level – Communicates that the more important the application is the more robust testing should be executed
Assisted Standard Scanning
The Assisted Standard Scan connects the client with an Accenture Security Practitioner who is part of the Accenture Threat & Vulnerability Management team for consuming the cloud-based security scanning service. The Accenture Security Practitioner will leverage the scanning portal to deliver the service on behalf of the client and will provide on-boarding support, scan execution and raw reporting. Additionally, the resource will be responsible for billing the client for labour hours following standard Accenture time reporting procedures. The scan is tailored to support clients that have an established skill set for remediation of identified
vulnerabilities but are seeking assistance with on-boarding and execution to help them to focus on potential vulnerability mitigations. This support model will also increasingly save the client’s time in scenarios where large quantities of applications are to be submitted and assessed. All operations on the scanning interface will be handled by the Accenture TVM Team.
Assisted Advanced Scanning
provide remediation suggestions and a remediation roadmap. The scan is tailored to clients that seek support in the on-boarding, execution and remediation phases.
Service Deliverables
Depending on the support model selected, the following deliverables are provided
:
Raw scanning results
Formatted executive summary with prioritised findings
Detailed prioritised findings report
Prioritised remediation recommendations
Remediation roadmap
3. Assets and tools
Accenture’s accelerator assets and delivery methodologies around risk and threat analysis, vulnerability testing, penetration testing and vulnerability remediation management underpin this cloud based offering and bring the Accenture efficient delivery excellence to every project. Alongside these methods, the web application scanning tooling brings immediate potential benefit and security assurance from day one. Accenture’s Threat & Vulnerability Management advisors focus on how to deliver the most precise results and provide valuable remediation feedback to the client to assist in increasing security confidence at any point in time. Accenture has integrated this cloud-based dynamic web application scanning solution into the Accenture Cloud Platform – a cloud service broker platform to help decrease the time to client value for cloud services.
4. Expected Outcomes
Security is undoubtedly one of the most important and discussed topics today. Web Application Security Scanning as a Service (WASSaaS) aims to improve confidence in web application security by providing a solution that:
Requires low capital investment
A cloud-based approach to the solution lowers the investment requirements. The pay-as-you-go model enables the use of WASSaaS on an ad-hoc basis or periodically in defined intervals without the need to host the scanning servers, maintain the datacentre space or maintain scanning solution updates.
Provides commercial flexibility/custom scan requirements
Client can tailor and consume their security scans via a self-service model. Each per application subscription can be different in order to comply with client needs and requirements.
Eliminates client staffing needs
No additional client-based resources are needed. Typically, for web application testing engagements the client will require skilled web application testers for scan execution and operations workforce to maintain and upgrade the scanning solution. Instead of constantly maintaining these resources, WASSaaS enables the client to stay focused on securing web applications.
Provides scalability
business criticality and operational importance. Additionally, the client can use the Assisted Standard support model (See section 2.2) or the Assisted Advanced support model (See section 3.1) to engage with Accenture’s Threat & Vulnerability Management (TVM) experts who can provide further scanning assistance and guidance.
Offers compliance
Accenture’s WASSaaS solution can help organisations seeking PCI and OWASP compliance. For business critical applications where the most robust subscription is recommended, we are able to provide a PCI 6.6 and OWASP Top Ten 2010 compliant reports. The scanning engine in use is on the list of the PCI officially approved application scanners (See section 4.4).
Example: A large telecommunications client lacked application security testing capabilities internally. No budget was
available for a large application security program. Business challenges:
- Requirement for testing internet facing applications, authenticated (including web and mobile applications) - Application Security testing is seen as a requirement following security issues, and a measure of the security
is made internally by the compliance of applications to the OWASP standard - One application with PCI compliance requires PCI compliance scans
- Advanced security testing (design review and penetration tests) to be performed on top of the standard Web Application Security Scanning as a Service security checks for the most critical applications
Approach:
- Selected the Cloud solution to perform scans, to benefit from low deployment and running costs
- Generated vulnerability reports for technical teams, as well as standard and compliance reports for internal OWASP compliance and external PCI certification maintenance
- The Accenture TVM team provided advanced reporting with False Positives removal as well as remediation assistance for the vulnerabilities reported
Results
- Client was able to get cost-effective point in time security results without a need for long negotiations, onboarding or contracting obstructions.
- Client received list of suggested improvements giving ability to implement new controls and increase the security maturity of the solution in a meaningful and systematic way.
- Client was able to get the assets re-tested as it was progressed with the remediation work for a fraction of the subscription price. This enabled actual view on whether the implemented controls successfully mitigated the particular vulnerability.
5. Pricing
6. Contacts
Simon Mitchell
(Accenture Health & Public Services – Sales Lead) Email: [email protected]
Telephone: ++44 7702 234537
Daniel W. Mellen (Offering Development Lead, Accenture Cloud Services – Security)
Email: [email protected] Telephone: +1 703 598 4316
7. About Accenture
Accenture is a global management consulting, technology services and outsourcing company, with approximately 269,000 people serving clients in more than 120 countries. Combining excellent experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies,
Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$27.9 billion for the fiscal year ended Aug. 31, 2012.
9 © 2013 Accenture All Rights Reserved.
Copyright © 2012 Accenture
All rights reserved.
Accenture, its logo, and
High Performance Delivered
Copyright © 2013 Accenture All rights reserved.
