InSite Responses to OWASP Top 20 Critical Security Controls

Control Implemented Description
1: Inventory of Authorized and Unauthorized Devices Y AWS installation is tracked and controlled from the AWS console. The standalone server installation consists of a single firewalled server not interacting with any outside servers except for GIT (version control server). The GIT server is configured the same way. The development workstations are located in a secure firewalled network with controlled access.
2: Inventory of Authorized and Unauthorized Software N SELinux will be deployed on the servers by the end of this calendar year, and MacOS (development workstations) is implementing this control inside the OS.
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Y Automated patching process runs hourly via cron job. The systems are installed in minimum configuration and then updated from trusted repositories only.
4: Continuous Vulnerability Assessment and Remediation N OV-8 (openVAS – http://www.openvas.org/) will be installed on the servers by the end of 11/2015.
5: Malware Defenses Y ClamAV is currently installed on GIT and production servers (http://www.clamav.net/)
6: Application Software Security Y See InSite responses to the CWE SANS Top 25 Most Dangerous Sofware Errors HERE.
7: Wireless Access Control Y N/A regarding the GIT and production servers (no wireless networks are attached to these servers). The development workstations have a single monitored WPA2 wireless Access Point in that network.
8: Data Recovery Capability N Most data is retrieved from the client’s Jive database server and is already backed up on the Jive sde. The core InSite configuration information will be backed up on a at minimum weekly basis. Planned for implementation by the end of 11/2015.
9: Security Skills Assessment and Appropriate Training to Fill Gaps Y The technical team consists of 1 person continually working on improving the security skills.
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Y The production servers are protected by two firewalls, all port access is limited to bare minimum and monitored. The security configuration is documented and reviewed monthly.
11: Limitation and Control of Network Ports, Protocols, and Services Y See #10 above.
12: Controlled Use of Administrative Privileges Y Only one person has access to the administrative accounts and all administrative activity is monitored manually and automatically. All administrative activity is logged automatically. All passwords have strong requirements for the characters mixing and length. No default passwords are used.
13: Boundary Defense Y Access to the InSite application software by client browsers is limited to the client-specified IP range whitelist and GIT/development servers.
14: Maintenance, Monitoring, and Analysis of Audit Logs Y All security logs are periodically audited by the technical specialist, stored via syslog and kept on dedicated partitions with enough disk space to accout for future growth.
15: Controlled Access Based on the Need to Know Y Only one person and three computers are involved in the production environment and all three computers are located behind multiple firewalls allowing only limited access to the systems by one person.
16: Account Monitoring and Control Y There is only one administrative account used for maintenance. The use of the account is being logged and monitored. Only one person has credentialed access to this account.
17: Data Protection N We will start storing all client data on encrypted partitions in Q1 2016. Since the production and GIT servers are located in an extremely secure facility (http://www.1and1.com/DataCenter) this is not much of a problem. We also identified sensitive (PII, accounts) information and monitor its secure storage. 411 Labs is also self-certified under US-EU Safe Harbor (https://safeharbor.export.gov/companyinfo.aspx?id=28005)
18: Incident Response and Management Y The production configuration is extremely simple – and as such – the incident response is also very straightforward: The network engineer receives email or text about the incident and starts the system monitoring, then the servers are locked down, then incident investigation is initiated. Servers will not be released from lock-down until incident root-cause is determined and a mitigation response is developed, tested and implemented.
19: Secure Network Engineering Y There is no network in the current production configuration at 1and1. The AWS Virtual Private Cloud (VPC – https://aws.amazon.com/vpc/) is designed to be completely secure with isolated DHCP, DNS etc.
20: Penetration Tests and Red Team Exercises Y The production server is only accessible to the client VPNs. We also run penetration tests on the GIT server at a minimum bi-weekly.