EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Similar documents
Web Application Whitepaper

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

IoT & SCADA Cyber Security Services

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Security Solutions. Overview. Business Needs

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Vulnerability Management

Atlassian Crowdsourced Penetration Test Results: January 2018

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Tiger Scheme QST/CTM Standard

RiskSense Attack Surface Validation for IoT Systems

Bank Infrastructure - Video - 1

Protect Your Organization from Cyber Attacks

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Cyber Security - Information Security & Testing

RiskSense Attack Surface Validation for Web Applications

Applications Security

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

C1: Define Security Requirements

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

COMPREHENSIVE REPORT BEAST HYBRID APPLICATION ASSESSMENT 2017

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

Web Application Vulnerabilities: OWASP Top 10 Revisited

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

External Supplier Control Obligations. Cyber Security

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Choosing the Right Security Assessment

Engineering Your Software For Attack

CyberArk Privileged Threat Analytics

Vulnerability Assessments and Penetration Testing

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Development*Process*for*Secure* So2ware

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Hacking by Numbers OWASP. The OWASP Foundation

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

10 FOCUS AREAS FOR BREACH PREVENTION

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

An ICS Whitepaper Choosing the Right Security Assessment

Juniper Vendor Security Requirements

Checklist: Credit Union Information Security and Privacy Policies

Application Security Approach

Device Discovery for Vulnerability Assessment: Automating the Handoff

Product Security Briefing

CoreMax Consulting s Cyber Security Roadmap

Cyber Security Program

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

SECURITY & PRIVACY DOCUMENTATION

CSWAE Certified Secure Web Application Engineer

8 Must Have. Features for Risk-Based Vulnerability Management and More

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Security Communications and Awareness

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Secure Development Lifecycle

CS 356 Operating System Security. Fall 2013

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Cybersecurity for Service Providers

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

WEB APPLICATION VULNERABILITIES

Department of Management Services REQUEST FOR INFORMATION

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

Tiger Scheme SST Standards Web Applications

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Certified Secure Web Application Security Test Checklist

Vulnerabilities in online banking applications

Product Security Program

Best Practices in Securing a Multicloud World

Certified Secure Web Application Engineer

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Securing Cloud Computing

ASSURANCE PENETRATION TESTING

Information Security Controls Policy

Copyright

Security Communications and Awareness

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

ShiftLeft. Real-World Runtime Protection Benchmarking

FDA & Medical Device Cybersecurity

90% of data breaches are caused by software vulnerabilities.

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

IBM Cloud Internet Services: Optimizing security to protect your web applications

The Common Controls Framework BY ADOBE

Objectives of the Security Policy Project for the University of Cyprus

Emerging Issues: Cybersecurity. Directors College 2015

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

SECURITY TESTING. Towards a safer web world

Third Party Security Review Process

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Transcription:

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT FEBRUARY 18, 2016

This engagement was performed in accordance with the Statement of Work, and the procedures were limited to those described in that agreement. The findings and recommendations resulting from the assessment are provided in the attached report. Given the time-boxed scope of this assessment and its reliance on clientprovided information, the findings in this report should not be taken as a comprehensive listing of all security issues. This report is intended solely for the information and use of Adobe Systems, Inc. Bishop Fox Contact Information: +1 (480) 621-8967 contact@bishopfox.com 8240 S. Kyrene Road Suite A-113 Tempe, AZ 85284 Bishop Fox Confidential 2016/02/18 2

TABLE OF CONTENTS Table of Contents... 3 Executive Summary... 4 Project Overview... 4 Summary of Findings... 4 Detailed List of Findings... 5 Recommendations... 6 Appendix A Measurement Scales... 7 Finding Severity... 7 Bishop Fox Confidential 2016/02/18 3

EXECUTIVE SUMMARY Project Overview Adobe Systems, Inc. engaged Bishop Fox to assess the security of the ColdFusion (2016 release) and API Manager applications. The following report details the findings identified during the course of the engagement, which started on November 23, 2015. Goals Understand the ColdFusion (2016 release) and API Manager applications security posture Identify as many security issues as possible in the designated time and scope Identify and plan to manage previously unknown risks Comply with a customer s request for a third-party security assessment Approach The Bishop Fox team conducted a thorough Hybrid Application Assessment the ColdFusion (2016 release) and API Manager applications. The assessment activities included, but were not limited to: Automated static code analysis Manual penetration testing Candidate-point source code review Assessment of auxiliary installed services for best practices Finding Counts 2 Critical 5 High 5 Medium 0 Low 0 Informational 12 Total findings Remediation 12 Total findings fixed Scope ColdFusion (2016 release) (build 297727) ColdFusion API Manager (build 297727) Dates 11/23/2015 Kickoff 11/23/2015 12/29/2015 Active testing 02/18/2016 Report delivery Summary of Findings In aggregate, the ColdFusion (2016 release) and API Manager applications meet their security objectives. Seven high- and critical-risk vulnerabilities were identified during the assessment. The ColdFusion development team made significant efforts to remediate the findings or otherwise mitigate the issues. After remediation testing, the Bishop Fox team verified that all findings had been remediated or sufficiently mitigated. Bishop Fox Confidential 2016/02/18 4

Detailed List of Findings The following tables outline the engagement findings and their remediation status. Activity Identified Vulnerabilities Fixed Vulnerabilities Hybrid Application Assessment 12 12 Remediated findings Please refer to the Appendix for explanations of finding severity ratings. Activity Finding ID Vulnerability Identified Fixed CRITICAL SEVERITY Hybrid Application Assessment 1 2 Cross-site Request Forgery XML External Entity (XXE) Activity Finding ID Vulnerability Identified Fixed 3 Insecure File Upload 4 Server-side Request Forgery HIGH SEVERITY Hybrid Application Assessment 5 Arbitrary Remote Code Execution 6 Insecure Default Configurations 5 5 7 Sensitive Information Disclosure 3 3 Bishop Fox Confidential 2016/02/18 5

Activity Finding ID Vulnerability Identified Fixed 8 Insufficient Anti- Automation 2 2 9 User Interface Redress MEDIUM SEVERITY Hybrid Application Assessment 10 Weak Password Complexity Requirements 4 4 11 Vulnerable Software 2 2 12 Ineffective Access Controls Recommendations The Bishop Fox team performed remediation testing and noted that all issues have been successfully remediated or otherwise mitigated. Following the tactical steps in the next section will further reduce the attack surface of the ColdFusion (2016 release) and API Manager applications. TACTICAL NEXT STEPS Increase Client Security Awareness: Improve visibility of the ColdFusion security lockdown guides. These guides include a wealth of information to help customers improve the security baseline of their ColdFusion deployments. Bishop Fox Confidential 2016/02/18 6

APPENDIX A MEASUREMENT SCALES The Bishop Fox team used the following criteria to rate the findings in this report. Finding Severity The severity of each finding in this report is independent. Finding severity ratings combine direct technical and business impact with the worst-case scenario in an attack chain. The more significant the impact and the fewer vulnerabilities that must be exploited to achieve that impact, the higher the severity. Critical High Medium Low Informational Vulnerability is an otherwise high-severity issue with additional security implications that could lead to exceptional business impact. Examples include trivial exploit difficulty, business-critical data compromised, bypass of multiple security controls, direct violation of communicated security objectives, and largescale vulnerability exposure. Vulnerability may result in direct exposure including, but not limited to: the loss of application control, execution of malicious code, or compromise of underlying host systems. The issue may also create a breach in the confidentiality or integrity of sensitive business data, customer information, and administrative and user accounts. In some instances, this exposure may extend farther into the infrastructure beyond the data and systems associated with the application. Examples include parameter injection, denial-of-service, and cross-site scripting. Vulnerability does not lead directly to the exposure of critical application functionality, sensitive business and customer data, or application credentials. However, it can be executed multiple times or leveraged in conjunction with another issue to cause direct exposure. Examples include brute-forcing and client-side input validation. Vulnerability may result in limited exposure of application control, sensitive business and customer data, or system information. This type of issue only provides value when combined with one or more issues of a higher risk classification. Examples include overly detailed error messages, the disclosure of system versioning information, and minor reliability issues. Finding does not have a direct security impact but represents an opportunity to add an additional layer of security, is considered a best practice, or has the possibility of turning into an issue over time. Finding is a security-relevant observation that has no direct business impact or exploitability, but may lead to exploitable vulnerabilities. Examples include poor communication between engineering organizations, documentation that encourages poor security practices, and lack of security training for developers. Bishop Fox Confidential 2016/02/18 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback