This document outlines the security standards and pentesting activities performed at Botium.
Please contact us for more detailed information.
Security Strategy
The focal points are:
-
Continuous in-house testing of our services with established security testing tools (corresponding reports can be provided)
-
Cloud providers of our choice (AWS, Azure, IBM) in our SaaS offer regularly carry out pen tests of their infrastructure
-
Support for clients if additional pentests are required
Pentest Methodology
The methodology for penetration tests is inspired by OWASP standards and follows the steps described below. It's regularly updated based on new attack techniques and vulnerabilities that are discovered. The infrastructure penetration test methodology is aligned with NIST recommendations.
All typical tests outlined in the OWASP Testing Guide (V4) are performed including but not limited to:
-
Configuration and Deployment Management Testing
-
Identity Management Testing
-
Authentication and Authorization Testing
-
Testing of the Session Management
-
Input Validation Testing
-
Testing for Error Handling
-
Testing for weak Cryptography
-
Business Logic Testing and Client Side Testing
The following tests are continuously performed by a vulnerability scanner:
-
Fingerprinting the server software and technology... ✅
-
Checking for vulnerabilities of server-side software... ✅
-
Analyzing HTTP security headers... ✅
-
Checking for secure communication... ✅
-
Checking robots.txt file... ✅
-
Checking client access policies... ✅
-
Checking for clear-text submission of passwords... ✅
-
Checking for JavaScript vulnerabilities... ✅
-
Searching for sensitive files... ✅
-
Checking for interesting files... ✅
-
Checking for information disclosure... ✅
-
Checking for software identification... ✅
-
Checking for administration consoles... ✅
-
Spidering target... ✅
-
Scanning for XSS vulnerabilities... ✅
-
Scanning for SQL Injection vulnerabilities... ✅
-
Scanning for File Inclusion vulnerabilities... ✅
-
Scanning for OS Command Injection vulnerabilities... ✅
-
Scanning for passive vulnerabilities... ✅
Incident Management
The Botium incident management plan is divided into the following phases:
-
Preparation
-
Analysis and Identification
-
Containment
-
Eradication
-
Recovery
-
Lessons Learned
System and Application Patches
The release plan of all Botium products foresees a monthly deployment. In addition, weekly hotfix deployments are planned to be used on demand for application patches.
Operating system patches are carried out following cloud provider security guidelines.
User Access Management
All Botium products come with out of the box support for Google Login and Active Directory (LDAP). Furthermore, they provide an integrated user, role and permission management.
Auditing User Access
Botium does not record detailed audits of user activity, with the following exceptions:
-
For each user, the last login date and time is recorded and persisted
-
For all database records, the date, time and user that created the record is persisted
-
For all database records, the date, time and user that made the last change to the record is persisted
Single-Sign-On (SSO)
Single-Sign-On itself is based several different protocols.
Leading technologies like SAML2, Google Auth and LDAP are already supported, others may need some customization.
Security Certifications
Botium provides products and services for clients in all domains where every business area comes with its own certifications. Therefore we have refrained from permanently feeding the security certifications machine that would drive up our product prices drastically. Instead we get certified on clients’ demand and needs.
Data Storage
SaaS
Botium is using Amazon RDS as structured storage and Amazon EFS as object/binary/file storage.
Data Encryption
SaaS
The encryption of data within Botium environments
Encrypting data in transit
Botium user interface is HTTPS-encrypted with Let's Encrypt certificates, which are renewed automatically all 3 months.
Encrypting data at rest
Structured data with Amazon RDS (including snapshots) - see Amazon RDS documentation
Object/Binary/File storage with Amazon EFS - see Amazon EFS documentation
Logs and Backups with Wasabi - see Wasabi documentation
Personal Data
Botium products do not process any personal data. If desired, all tools can be operated using default users like “admin” or “guest”.
Log Data
Botium products are saving system logs to support clients in case of problems. All log data gets automatically deleted after two weeks.
Data Breach Notification
The data breach notification procedure is based on the following steps:
-
Breach detection
-
Risk assessment
-
High or serve-risk assessment result
-
Notification an provision of information
-
Document and record
Secure Development Practices
Secure development practices implemented in all Botium environments are shared within the teams through:
-
Peer programming sessions
-
Weekly knowledge sharings
-
Secure coding workshops
-
Regular code reviews
-
Vulnerability scans
Recovery and Disaster plan
SaaS
-
Botium has daily snapshots of structure storage and file storage and keeps it for 2 weeks
-
All Saas instances can be rolled back to a snapshot of a certain date within the last 2 weeks
-
Outage during disaster recovery will take up to 12 hours