Pentest Program

Pentest Program

Introduction

anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the international standard for information security.

The purpose of this document is to describe anDREa’s Pentest Program. 

This document will be updated at least annually and when significant change happens. 

Pentest Program

External Pentest process

Schedule

  1. At least once a year a pen-test must be completed
    1. Major changes that impact the Azure DRE Shared Tenant security boundaries might trigger an ad-hoc pen-test
    2. If a scheduled pen-test should take place within six months of an ad-hoc pen-test and no security boundary changed, a pen-test can be skipped but must be logged in Policy Exceptions
  2. Every year a pen-test will take place in the 1st quarter, but must be completed before March 31st.
  3. On or before December 1st the CTO will provide the scope and target areas.
  4. On or before March 15th the pentest must be completed.
  5. On or before June 1st the results, findings and recommendation must be presented to anDREa’s Management Team and Dev-Team

Procedure

Review & Risk Analysis
  1. The CTO examines and performs a risk analysis with dev-team and members of CST on but not limited to the following documents:
    1. Architecture
    2. Risk and Incident findings
  2. The CTO will assess risks based on interviews with the following roles:
    1. MT
    2. (Core) Support Team
    3. Service Provider
    4. Representatives 
  3. The CTO will
    1. Update the documentations in Documents for Pentester
    2. Create sub folder of Pen-Test > General > Dossiers

Request for Proposal (RFP) (optional, but at least every three years)
Write an RFP  (optional but at least every three years)
  1. The CTO writes RFP that includes the:
    1. Description of myDRE Shared Tenant functionality
  2. Scope and target areas of the pentest
    1. Questions
    2. The CTO will discuss the plan with MT, dev-team and members of CST and adjust where appropriate

Issue RFP and choose pentester
  1. The pentest proposal must include:
  2. Time-lines
  3. Approach & methodology
  4. Costs

Meeting with pentester
Explain:
  1. The purpose of the Pentest
  2. The responsibility and duties of Pentesters
  3. Give access to and provide instructions:
    1. Documents for Pen-Tester
    2. Sub folder of Pen-Test > General > Dossiers

Fact finding & Reporting by Pentester
  1. PenTester logs findings and report in sub folder of Pen-Test > General > Dossiers

Review & Analysis
  1. CTO reviews findings and recommendations with dev-team and CST

Report findings and recommendations
  1. CTO with MT and decide on actions
    1. Actions will be logged in Risk, Incidents and Treatment Plan Register
  2. When there are no more follow-up questions
    1. CTO removes Pen-Tester from Pen-Test Teams
  3. CTO updates Approvers > Audits and informs relevant stakeholders

Internal Pen-Test process

Schedule

  1. Internal Pen-Test are ad-hoc driven and must occur when:
    1. Major change has been implemented that impact security boundaries
    2. Suspected unknown weakness
    3. Reported unknown weakness

Procedure

Review & Risk Analysis
  1. The CTO examines and performs a risk analysis with dev-team and members of CST on but not limited to the following documents:
    1. Architecture
    2. Risk and Incident findings
  2. The CTO will assess risks based on interviews with the following roles:
    1. MT
    2. (Core) Support Team
    3. Service Provider
    4. Representatives 
  3. The CTO will
    1. Update the documentations in Documents for Pen-Tester
    2. Create sub folder of Pen-Test > General > Dossiers
    3. Assign one or more pen-testers

Pen-testers
  1. The internal pen-tester(s) writes a plan, this must include:
    1. Approach & methodology

Meeting with pen-tester(s)
  1. Explain:
    1. The purpose of the Pen-Test
    2. The responsibility and duties of Pen-Testers
  2. Give access to and provide instructions:
    1. Documents for Pen-Tester
    2. Sub folder of Pen-Test > General > Dossiers

Fact finding & Reporting by Pen-Tester
  1. Pen-Tester logs findings and report in sub folder of Pen-Test > General > Dossiers

Review & Analysis
  1. CTO reviews findings and recommendations with dev-team and CST

Report findings and recommendations
  1. CTO with MT and decide on actions
    1. Actions will be logged in Risk, Incidents and Treatment Plan Register
  2. When there are no more follow-up questions
    1. CTO removes Pen-Tester from Pen-Test Teams
  3. CTO updates Approvers > Audits and informs relevant stakeholders


Access to Pentest Results

  1. All Security Officers of a Tenant can request the CTO for access the Pen-Test Reports
  2. People with an account on support.mydre.org and part of the group Approver have access: https://support.mydre.org/portal/en/kb/approvers/audits


    • Related Articles

    • 20240510 - Pentest management summary

    • 20220624 Pentest 2022-Q2/Q3 Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDREa's 20220624 Pentest 2022-Q2/Q3 Report. TLDR: none of the findings have any risk ...
    • 20230503 - Pentest management summary

      anDREa B.V. is continuously testing and improving the security of myDRE. As such myDRE is annually pentested and an Azure hardening audit is performed. By uncovering vulnerabilities and weaknesses, it can provide us with valuable insights and ...
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • Link to records

      anDREa's Access Control Policy applies. Some documents, records especially, might not be accessible. Authorized access will be issued based on invitation by anDREa. Access requests will be rejected by default. ISO 27001 related Record ISO 27001:2013 ...