Security Testing Recommendations. The vendor should perform a series of steps to verify the security of applications, some of which are noted below. This section will not be validated by the County, but reflects best practices that the vendor should consider and follow.
Security Testing Recommendations. The vendor should perform a series of steps to verify the security of applications, some of which are noted below. This section will not be validated by the County, but reflects best practices that the vendor should consider and follow. • Look for vulnerabilities at various layers of the target environment. In the lowest layer, the vendor’s testing team should look for flaws in the target network environment, including any routers and firewalls designed to control access to the web server and related target components. The team should attempt to determine whether such filters provide adequate protection at the network layer of the target hosts that the team can reach across the Internet. • Look for flaws in the Internet-accessible hosts associated with the target infrastructure, including the web server. This host-based component of the test will analyze which network- accessible services are available on the target hosts across the Internet, including the web server process. The testing team should look for incorrect configuration, unpatched or enabled services, and other related problems on the target hosts. This review performed by the vendor should include but not be limited to: • The web application (i.e., the software that interacts with users at their web browsers; typically custom- crafted code created by the web development team) • The web server application (the underlying software that sends and receives information via HTTP and HTTPS, typically off-the-shelf software such as Microsoft’s IIS or the open-source Apache software) • Any separate backend application servers that process information from the web application • The backend database systems that house information associated with the web application. • Infrastructure diagrams. • Configuration host review of settings and patch versions, etc. • Full code review. • Identification and remediation of well-known web server, code engine, and database vulnerabilities. • Identification and remediation of any server and application administration flaws and an exploitation attempt of same. • Analysis of user interface, normal application behavior, and overall application architecture for potential security vulnerabilities. • Analysis of data communications between the application and databases or other backend systems. • Manual analyses of all input facilities for unexpected behavior such as SQL injection, arbitrary command execution, and unauthorized data access. • Analyses of user and group accoun...
