INSA SECURITY AUDIT DOCUMENT

Prepared by WIB FASHION E COMMERCE APPLICATION

MEBA MULTIMEDIA PLC

APRIL 2023 GC
Chapter 1: WIB Fashion Application Description Document
Chapter 2: Defined Scope for the Security Audit
Chapter 3: Security Functionality Document
Chapter 4: Threat Modeling Document using OWASP Application Threat Modeling Method
Chapter 5: Secure Coding Standard Document
Chapter 6: Sample Test User Accounts
Chapter 7: Incident Response Plan
Chapter 8: Data Privacy and Compliance
Chapter 9: Business Continuity and Disaster Recovery Plan
Chapter 10: Security Awareness and Training
Chapter 11: Previous Security Test Reports
Conclusion
Chapter 1: WIB Fashion Application Description
Document
1. Features and Functionalities
WIB Fashion is an e-commerce platform with a mobile app designed to connect multiple vendors
and buyers in Addis Ababa, Ethiopia, and beyond. The platform offers a user-friendly interface,
similar to Shein, with the following features and functionalities:
a. Vendor Management: Enables vendors to create profiles, manage products, track
inventory, and monitor sales performance.
b. Product Catalog: Allows vendors to showcase their products with high-resolution images,
detailed descriptions, and pricing information.
c. Shopping Cart and Checkout: Provides customers with a seamless shopping experience,
including the ability to add items to the cart, review orders, and proceed to a secure checkout
process.
d. Order Management: Facilitates the processing of orders, including order tracking, shipping
updates, and customer support.
e. Payment Processing: Integrates with multiple payment gateways to offer a secure
and convenient payment process for customers.
f. Ratings and Reviews: Allows customers to rate and review products and vendors, fostering
trust and promoting high-quality offerings.
g. User Account Management: Supports account creation, authentication, and management for
customers, vendors, and administrators.
h. Analytics and Reporting: Offers data-driven insights to help vendors and
administrators optimize their business strategies.
2. Actor/User Types
WIB Fashion supports the following actor/user types:
a. Customers: Users who browse, search for, and purchase products from vendors on
the platform.
b. Vendors: Businesses that create profiles, manage products, and fulfill orders for customers.
c. Administrators: Platform managers who oversee vendor and user management, maintain the
site, and ensure its smooth operation.
3. System Architecture
WIB Fashion employs a microservices-based architecture, utilizing the following components: a.
Frontend: Developed using React Native for the mobile app and React for the web application,
ensuring a consistent and responsive user experience.
b. Backend: Built on Node.js and Express.js, providing a scalable and efficient server-
side infrastructure.
c. Database: Leverages MongoDB for a flexible and scalable document-based storage solution.
d. API Gateway: Implemented using AWS API Gateway, enabling secure and
efficient communication between microservices.
e. Load Balancer: Uses AWS Elastic Load Balancing to distribute traffic across
multiple instances, ensuring high availability and fault tolerance.
4. Dependencies, System Minimum Requirements
WIB Fashion relies on the following dependencies and has the specified minimum system
requirements:
a. Frontend: React Native (for mobile app), React (for web application), Redux, Axios, and other
necessary libraries and frameworks.
b. Backend: Node.js, Express.js, and required middleware.
c. Database: MongoDB, including necessary drivers and libraries.
d. API Gateway: AWS API Gateway and associated SDKs.
e. Load Balancer: AWS Elastic Load Balancing.
For optimal performance, the following minimum system requirements are recommended:
a. Mobile App: Android 6.0 or iOS 10 and above.
b. Web Application: Modern web browsers such as Chrome, Firefox, Safari, or Edge.
c. Backend Infrastructure: Server with at least 4 GB of RAM and a multi-core
processor. 5. Implemented Security Standards
WIB Fashion adheres to the following security standards to ensure the highest level of protection
for user data and transactions:
a. Data Encryption: Data is encrypted both in transit (using HTTPS and TLS) and at rest (using
AES-256 encryption).
b. Secure Authentication: Implements multi-factor authentication (MFA) and strong
password policies for all user types.
c. OWASP Top Ten: Regularly audits the application for vulnerabilities listed in the OWASP
Top Ten

Chapter 2: Defined Scope for the Security Audit

The scope of the security audit for WIB Fashion encompasses the following key areas to ensure
the platform maintains the highest security standards and adheres to industry best practices:
1. Infrastructure Security: The audit will evaluate the security configurations, access
controls, and monitoring of the cloud-based infrastructure, including servers, databases,
and storage systems. It will also examine the implementation of security features such as
firewalls, intrusion detection systems, and traffic encryption.
2. Application Security: The audit will assess the security of both the mobile and web
applications, focusing on secure coding practices, input validation, output encoding, and
error handling. Additionally, the audit will review the implementation of secure
authentication, session management, and access controls for different user types.
3. API Security: The audit will examine the security of the API gateway and associated
microservices, ensuring that proper authentication, authorization, and data validation
mechanisms are in place. The review will also cover rate limiting, CORS
configurations, and API versioning.
4. Data Security and Privacy: The audit will evaluate the platform's data handling practices,
including data encryption (both in transit and at rest), data retention, and data disposal
policies. The audit will also assess compliance with applicable data protection
regulations, such as GDPR and other local Ethiopian laws.
5. Third-Party Integrations: The audit will review the security and data handling practices
of third-party integrations, including payment gateways, shipping providers, and
analytics services, ensuring that the platform's security standards extend to all external
dependencies.
 6. Incident Response and Recovery: The audit will assess WIB Fashion's incident
response plan, evaluating its effectiveness in detecting, containing, and resolving
security incidents. This includes reviewing the platform's backup and disaster recovery
mechanisms to ensure business continuity in the event of an incident.
7. Security Training and Awareness: The audit will evaluate the security training and
awareness programs in place for developers, administrators, and vendors to ensure that all
stakeholders are well-informed about the platform's security policies and best practices.
By covering these key areas, the security audit will provide a comprehensive assessment of WIB
Fashion's overall security posture, identifying potential vulnerabilities and areas for improvement
to ensure the highest level of protection for the platform's users and their data.

Chapter 3: Security Functionality Document

The Security Functionality Document outlines the security requirements for WIB Fashion,
derived from industry standards, applicable laws, and a history of past vulnerabilities. These
requirements ensure that the platform maintains a high level of security and protects user data
and transactions.
1. Data Encryption:
a. Encrypt all data in transit using HTTPS and TLS.
b. Encrypt sensitive data at rest using AES-256 encryption.
2. Authentication and Authorization:
a. Implement multi-factor authentication (MFA) for all user types.
b. Enforce strong password policies, including minimum length, complexity, and
expiration. c. Utilize role-based access control (RBAC) to limit access to sensitive
information and functionality.
3. Input Validation and Output Encoding:
a. Validate and sanitize all user inputs to prevent injection attacks.
b. Encode all output data to prevent cross-site scripting (XSS) attacks.
4. Session Management:
a. Generate unique session identifiers for each user session.
b. Expire sessions after a predefined period of inactivity.
c. Implement secure cookie handling with the HttpOnly and Secure flags.
5. Error Handling and Logging:
a. Implement proper error handling to prevent information leakage.
b. Log security-related events and monitor for suspicious activities.
6. Infrastructure Security:
a. Regularly update and patch servers, databases, and other infrastructure components.
b. Implement network segmentation and firewall rules to limit access to sensitive systems. c.
Deploy intrusion detection and prevention systems (IDPS) to monitor and block malicious
activities.
7. API Security:
a. Implement authentication and authorization mechanisms for API access.
b. Validate and sanitize all API inputs to prevent injection attacks.
c. Implement rate limiting to protect against denial of service (DoS) attacks.
8. Data Security and Privacy Compliance:
a. Adhere to applicable data protection laws, such as GDPR and local Ethiopian regulations.
b. Implement data retention and disposal policies in line with legal requirements.
c. Conduct regular privacy impact assessments (PIAs) to identify and mitigate risks to user data.
9. Third-Party Integration Security:
a. Review and monitor the security practices of third-party integrations, such as payment
gateways and shipping providers.
b. Limit the sharing of sensitive data with third parties and ensure data is encrypted during
transit.
10.Incident Response and Recovery:
a. Develop and maintain an incident response plan that outlines procedures for detecting,
containing, and resolving security incidents.
b. Implement regular backups and disaster recovery mechanisms to ensure business continuity in
the event of an incident.
11. Security Training and Awareness:
a. Provide regular security training and awareness programs for developers, administrators, and
vendors.
b. Ensure all stakeholders are informed about the platform's security policies and best practices.
By implementing these security requirements, WIB Fashion can maintain a high level of security
and protect the data and transactions of its users, while complying with industry standards and
applicable laws.

Chapter 4: Threat Modeling Document using

OWASP Application Threat Modeling Method
This threat modeling document follows the OWASP application threat modeling method
to analyze the security of the WIB Fashion e-commerce platform. The structured approach
identifies, quantifies, and addresses the security risks associated with the application. a.
Decomposing the Application:
WIB Fashion can be decomposed into the following key components:
1. Mobile and Web Frontend
2. Backend Services
3. API Gateway
4. Database
5. Third-Party Integrations (Payment Gateway, Shipping Providers,
etc.) b. External Dependencies:

1. Cloud Service Providers -AWS

2. Payment Gateway Providers - Telebirr
3. Shipping Providers- Eshi Express
4. Analytics Services - Google Analytics
c. Entry Points, Assets, and Trust Levels:
Entry Points:
1. User Authentication (Login, Registration)
2. Product Browsing and Search
3. Shopping Cart and Checkout
4. Order Management
 5. Vendor Management
6. User Account Management
7. API Endpoints

1. User Data (Personal Information, Passwords)

2. Transaction Data (Payment Information, Order History)
3. Product Data (Images, Descriptions, Inventory)
4. Vendor Data (Profile Information, Sales Metrics)
5. Platform Configuration and Settings

1. Administrators: Highest trust level with access to all platform functionality.

2. Vendors: Moderate trust level with access to their products, orders, and sales data.
3. Delivery personnel;
4. Customers: Lowest trust level with access to their own account data and order
history. d. Threat List on Each Entry Point and Mitigation Techniques:
1. User Authentication:
● Threat: Brute force attacks, credential theft
● Mitigation: Implement rate limiting, account lockout policies, and multi-
factor authentication (MFA).
2. Product Browsing and Search:
● Threat: SQL Injection, Cross-site Scripting (XSS)
● Mitigation: Validate and sanitize user input, use parameterized queries, and
output encoding.
3. Shopping Cart and Checkout:
● Threat: Unauthorized access, session hijacking
● Mitigation: Use secure session management, implement access controls,
and encrypt sensitive data during transmission.
4. Order Management:
● Threat: Unauthorized access, data tampering
● Mitigation: Implement role-based access control (RBAC), validate and
sanitize user input, and use secure APIs.
 5. Vendor Management:
● Threat: Unauthorized access, data leakage
● Mitigation: Implement role-based access control (RBAC), secure APIs,
and encrypt sensitive data at rest and in transit.
6. User Account Management:
● Threat: Unauthorized access, data leakage
● Mitigation: Implement access controls, encrypt sensitive data, and provide
user visibility and control over their data.
7. API Endpoints:
● Threat: Unauthorized access, data tampering, denial of service (DoS)
● Mitigation: Use API authentication and authorization, validate and sanitize
input, implement rate limiting, and employ CORS configurations.

By addressing these threats and implementing the appropriate mitigation techniques,

WIB Fashion can ensure a secure and robust e-commerce platform for its users.

Chapter 5: Secure Coding Standard Document

Secure coding standards provide rules and guidelines to prevent security vulnerabilities in
software development. By adhering to these standards, WIB Fashion can prevent, detect, and
eliminate errors that may compromise the security of its e-commerce platform.
1. Input Validation:
a. Always validate and sanitize user input to prevent injection attacks, such as SQL injection
and cross-site scripting (XSS).
b. Use allow-lists to define acceptable input values and reject any input that does not meet
these criteria.
c. Implement server-side validation in addition to client-side validation, as client-side validation
can be bypassed.
2.Output Encoding:
a. Encode all output data to prevent cross-site scripting (XSS) attacks.
b. Use appropriate encoding schemes, such as HTML entity encoding for HTML content or URL
encoding for URL components.
3.Authentication and Session Management:
a. Implement strong password policies, including minimum length, complexity, and
expiration requirements.
b. Use secure password hashing algorithms, such as bcrypt or Argon2, to store user passwords.
c. Generate unique session identifiers and implement secure session handling with the HttpOnly
and Secure flags for cookies.
4. Access Control:
a. Follow the principle of least privilege, granting users the minimum level of access required to
perform their tasks.
b. Implement role-based access control (RBAC) to manage user permissions and access to
sensitive resources.
c. Regularly review and update access control policies to ensure they remain effective.
5. Error Handling and Logging:
a. Implement proper error handling to prevent information leakage and ensure that sensitive
data is not exposed through error messages.
b. Log security-related events, such as failed login attempts and access to sensitive resources,
and monitor logs for suspicious activities.
c. Protect log files from unauthorized access and tampering.
6. Secure Communication:
a. Use HTTPS with TLS to encrypt data in transit and protect against eavesdropping and
man-in-the-middle attacks.
b. Implement proper certificate validation and management, including regular renewal
and revocation checks.
7. Code Review and Security Testing:
a. Conduct regular code reviews to identify and fix security vulnerabilities in the source code.
b. Incorporate security testing into the software development lifecycle, including static and
dynamic analysis, penetration testing, and vulnerability scanning.
8. Patch Management and Dependency Management:
a. Regularly update and patch all software components, including servers, databases, libraries,
and frameworks, to fix known security vulnerabilities.
b. Monitor and review third-party dependencies for security vulnerabilities and update them
as needed.
9. Secure Development Training:
a. Provide ongoing secure development training for developers and other relevant team members
to ensure they are aware of current security risks and best practices.
b. Encourage the use of resources such as the OWASP Top Ten Project and the OWASP Cheat
Sheet Series to stay informed about the latest security threats and mitigation techniques.
By following these secure coding standards, WIB Fashion can minimize the risk of security
vulnerabilities and maintain a robust and secure e-commerce platform for its users.

Chapter 6: Sample Test User Accounts

To facilitate the security testing process, the following sample test user accounts have been
created for each user type, except for the administrator. These accounts will be used by the
security testing team to perform various tests and assessments on the WIB Fashion e-commerce
platform.
● Client user
● Email : [email protected]
● Pass : Ljv6QXXYqQ5I

● Delivery user
● Email : [email protected]
● Pass : 7uxs8$Whkb5U
Please note that these accounts have limited access and do not have any elevated privileges. The
security testing team is expected to use these accounts responsibly and in accordance with the
agreed-upon testing guidelines. Additionally, ensure that the passwords for these test accounts
are shared securely with the testing team to prevent unauthorized access.
Upon completion of the security test, it is recommended to deactivate or delete these test
accounts to prevent any potential misuse. Regular monitoring and auditing of user accounts
should be performed to maintain the security and integrity of the WIB Fashion e-commerce
platform.

Chapter 7: Incident Response Plan

The Incident Response Plan for WIB Fashion is designed to provide a structured approach to
managing security incidents and minimizing their potential impact on the e-commerce
platform. This plan outlines the roles and responsibilities, communication channels, and
procedures for investigation and recovery in the event of a security breach or incident.

1. Incident Response Team (IRT)

The Incident Response Team (IRT) is responsible for managing security incidents
and coordinating the response efforts. Key members of the IRT include:

a. Incident Response Manager: Responsible for leading the response efforts, coordinating
team members, and communicating with stakeholders.
b. IT Security Analysts: Responsible for investigating the incident, identifying the root cause,
and recommending remediation measures.
c. Legal and Compliance Representatives: Responsible for ensuring adherence to legal and
regulatory requirements, and assessing potential liabilities.
d. Public Relations/Communications Representatives: Responsible for managing
external communications and public announcements.

2. Incident Detection and Classification

 a. Monitor security logs, alerts, and reports for any signs of a security breach or incident.
b. Classify incidents based on their severity (e.g., low, medium, high) and potential impact
on the platform's operations, data, and reputation.

3. Incident Reporting

a. Employees, vendors, or customers should report suspected security incidents to the

IRT through a designated email address, phone number, or incident reporting form.
b. The IRT should document and track reported incidents, including the date, time, nature,
and details of the incident.

4. Incident Containment

a. Upon detection or notification of an incident, the IRT should initiate containment

measures to limit the potential impact on the platform and its users.
b. Containment measures may include isolating affected systems, revoking access credentials,
or disabling specific services or features.

5. Incident Investigation and Analysis

a. The IRT should conduct a thorough investigation to identify the root cause of the
incident, the extent of the damage, and any potential vulnerabilities that need to be addressed.
b. The investigation may involve analyzing logs, reviewing source code, or
conducting interviews with affected users or staff.

6. Incident Recovery and Remediation

a. Based on the investigation findings, the IRT should develop and implement a plan to
recover and restore affected systems, services, and data.
b. Remediation measures may include patching vulnerabilities, updating software,
or implementing new security controls.
7. Incident Closure and Lessons Learned

a. Once the incident has been resolved, the IRT should formally close the incident
and document the incident details, response actions, and outcomes.
b. Conduct a post-incident review to identify lessons learned and opportunities for
improvement, including updates to the Incident Response Plan, security policies, or employee
training programs.

8. Communication and Stakeholder Management

a. Maintain regular communication with internal and external stakeholders, including senior
management, employees, vendors, customers, and regulatory authorities as required.
b. Communicate the status of the incident response efforts, as well as any potential impacts
or risks, in a timely and transparent manner.

By having a comprehensive Incident Response Plan in place, WIB Fashion can respond
effectively to security incidents, minimize their potential impact, and maintain the trust
and confidence of its users and partners.

Chapter 8: Data Privacy and Compliance

WIB Fashion is committed to protecting the privacy and security of its users' personal
information. This document outlines how WIB Fashion complies with data protection regulations
such as GDPR, CCPA, and any local Ethiopian privacy laws. It includes information on data
retention policies, data subject rights, and privacy notices.

1. Data Collection and Processing

 a. WIB Fashion collects and processes personal data of its users, including customers and
vendors, for the purposes of account creation, order processing, payment processing, and
communication.
b. Personal data is collected and processed based on users' consent, contractual obligations, or
legitimate business interests.
c. WIB Fashion limits the collection and processing of personal data to what is necessary for
the specified purposes.

2. Data Retention Policies

a. WIB Fashion retains personal data for as long as necessary to fulfill the purposes for which
it was collected or to comply with legal, regulatory, or contractual requirements.
b. Once the data is no longer needed, it is securely deleted or anonymized in accordance
with industry best practices and applicable regulations.

3. Data Subject Rights

a. WIB Fashion ensures that users can exercise their data protection rights, including the right
to access, rectify, erase, restrict processing, or object to processing of their personal data.
b. Users can submit requests to exercise their rights through a designated email address,
customer support form, or by contacting WIB Fashion's Data Protection Officer.
c. WIB Fashion processes user requests within the timeframes specified by applicable
regulations.

4. Privacy Notices

a. WIB Fashion provides clear and transparent privacy notices to its users, informing them
about the types of personal data collected, the purposes for which it is processed, and their rights
under applicable data protection laws.
b. Privacy notices are provided at the point of data collection and are easily accessible on the
WIB Fashion website and mobile app.
5. Data Security

a. WIB Fashion implements appropriate technical and organizational measures to protect

personal data from unauthorized access, disclosure, alteration, or destruction.
b. These measures include encryption, access controls, secure development practices, and
regular security audits.

6. Data Transfers

a. WIB Fashion ensures that any transfer of personal data to third parties or across borders
complies with applicable data protection regulations, including the use of standard contractual
clauses or other lawful transfer mechanisms.

7. Third-Party Processors and Vendors

a. WIB Fashion engages third-party processors and vendors that adhere to the same
data protection standards and requirements as WIB Fashion.
b. Agreements with these third parties include provisions for data privacy and security, as
well as requirements for reporting and managing data breaches or incidents.

8. Compliance Monitoring and Updates

a. WIB Fashion regularly monitors and reviews its data privacy and compliance program
to ensure ongoing adherence to applicable regulations and best practices.
b. Any changes or updates to data protection regulations or requirements are promptly
assessed and integrated into WIB Fashion's policies and procedures.

By implementing robust data privacy and compliance measures, WIB Fashion demonstrates its
commitment to protecting the personal information of its users and ensuring the security and
trustworthiness of its e-commerce platform.
Chapter 9: Business Continuity and
Disaster Recovery Plan

WIB Fashion's Business Continuity and Disaster Recovery Plan (BCDRP) outlines the
procedures and processes for maintaining or resuming business operations in the event of a
disruptive incident, such as a natural disaster, cyber attack, or system failure. The plan aims to
minimize the impact of such incidents on WIB Fashion's e-commerce platform, its users, and
its business partners.

1. Business Impact Analysis (BIA)

a. Identify and prioritize the critical business functions, processes, and systems that
support WIB Fashion's e-commerce platform.
b. Assess the potential impact of various disruptive incidents on these critical elements,

considering factors such as downtime, financial losses, and reputational damage.

2. Risk Assessment and Mitigation

a. Identify and assess potential risks and threats to WIB Fashion's critical business
functions, processes, and systems.
b. Implement appropriate risk mitigation measures, such as redundant infrastructure,
data backups, and emergency power supplies.

3. Incident Response and Crisis Management

a. Establish an Incident Response Team (IRT) responsible for managing disruptive

incidents and coordinating the recovery efforts.
 b. Develop and maintain an Incident Response Plan (IRP) that outlines the roles,

responsibilities, and procedures for responding to and managing disruptive incidents.

4. Recovery Strategies

a. Develop recovery strategies for each critical business function, process, and system
identified in the BIA, considering factors such as Recovery Time Objectives (RTOs)
and Recovery Point Objectives (RPOs).
b. Implement appropriate recovery solutions, such as data replication, alternative
processing sites, or backup service providers.

5. Business Continuity Plans (BCPs)

a. Develop and document detailed Business Continuity Plans (BCPs) for each critical business
function, process, and system, outlining the steps and resources needed to maintain or resume
operations following a disruptive incident.
b. Ensure that BCPs address key aspects such as communication, resource allocation, and
coordination with external partners and stakeholders.

6. Disaster Recovery Plans (DRPs)

a. Develop and document detailed Disaster Recovery Plans (DRPs) for each critical business
function, process, and system, outlining the steps and resources needed to restore IT systems,
data, and infrastructure following a disruptive incident.
b. Ensure that DRPs address key aspects such as data recovery, system restoration,
and infrastructure repair or replacement.

7. Training and Awareness

a. Provide regular training and awareness programs for employees and partners on the
BCDRP, including their roles and responsibilities in the event of a disruptive incident.
 b. Conduct regular exercises and drills to test and validate the BCDRP, identify gaps
or weaknesses, and improve overall preparedness and resilience.

8. Plan Maintenance and Updates

a. Regularly review and update the BCDRP to ensure that it remains relevant and effective
in the face of changing business requirements, technologies, and threats.
b. Incorporate lessons learned from actual incidents, exercises, and industry best practices into
the BCDRP to continuously improve its effectiveness.

By having a comprehensive Business Continuity and Disaster Recovery Plan in place, WIB
Fashion can enhance its resilience to disruptive incidents, minimize the potential impact on its
e-commerce platform and users, and ensure the continuity of its business operations.

Chapter 10: Security Awareness and Training

A robust security awareness and training program is essential for ensuring the security of WIB
Fashion's e-commerce platform. This document outlines the security awareness and training
program for employees, including the topics covered, frequency of training, and methods of
delivery.

1. Training Objectives

a. Increase employee awareness of security threats and vulnerabilities.

b. Ensure employees understand their roles and responsibilities in maintaining the security of
WIB Fashion's e-commerce platform.
c. Promote a security-conscious culture within the organization.
 d. Provide employees with the knowledge and skills necessary to protect WIB
Fashion's information assets.

2. Topics Covered

a. Security policies and procedures, including the acceptable use of systems and data, password
management, and incident reporting.
b. Common security threats and attack vectors, such as phishing, social engineering, and
malware.
c. Secure coding practices, including input validation, error handling, and secure data storage.
d. Data privacy and compliance, including the handling of personal information and the
requirements of applicable regulations.
e. Incident response and business continuity planning, including employee roles and
responsibilities during a security incident or disruptive event.
f. Physical security measures, such as access controls, visitor management, and the
protection of sensitive areas and assets.

3. Frequency of Training

a. New employees should receive security awareness training as part of their onboarding
process.
b. Existing employees should receive refresher training at least annually, or more frequently
as needed based on changes in the threat landscape or the organization's security policies and
procedures.
c. Additional, targeted training should be provided to employees with specific security
responsibilities or roles, such as developers, system administrators, or incident responders.

4. Methods of Delivery

a. Instructor-led training, either in-person or virtual, to provide employees with the

opportunity to interact with trainers and ask questions.
 b. Self-paced online training modules, which allow employees to complete training at their
own pace and convenience.
c. Interactive exercises and simulations, such as phishing tests or incident response tabletop
exercises, to help employees practice and apply their security knowledge in realistic scenarios.
d. Security awareness materials, such as posters, newsletters, or email reminders, to reinforce
key security messages and maintain employee engagement.

5. Evaluation and Improvement

a. Assess the effectiveness of the security awareness and training program through regular
evaluations, such as surveys, quizzes, or feedback sessions.
b. Use evaluation results to identify areas for improvement, update training materials, and
tailor the program to the organization's specific needs and challenges.
c. Monitor security incidents, policy violations, and other relevant metrics to measure the
impact of the training program on employee behavior and the overall security posture of
the organization.

By implementing a comprehensive security awareness and training program, WIB Fashion

can equip its employees with the knowledge and skills necessary to protect the organization's
information assets and ensure the security of its e-commerce platform.

Chapter 11: Previous Security Test Reports

WIB Fashion has a history of conducting regular security tests to ensure the safety and security
of its e-commerce platform. The following is a summary of previous security test reports,
highlighting the significant findings and remediation efforts taken.

1. Security Test Report - Year 1

 a. Vulnerability Assessment and Penetration Testing (VAPT) conducted by an
external cybersecurity firm.
b. Identified vulnerabilities:
- Insecure direct object references
- Cross-site scripting (XSS)
- Insufficient session management
c. Remediation efforts:
- Implemented proper access controls and object-level authorization.
- Employed secure coding practices to prevent XSS attacks.
- Strengthened session management and implemented secure cookie attributes.

2. Security Test Report - Year 2

a. Internal security audit performed by WIB Fashion's in-house cybersecurity team.

b. Identified vulnerabilities:
- Insecure API endpoints
- Inadequate logging and monitoring
c. Remediation efforts:
- Secured API endpoints with proper authentication and authorization mechanisms.
- Enhanced logging and monitoring capabilities to detect and respond to security
incidents more effectively.

These previous security test reports demonstrate WIB Fashion's commitment to maintaining a
secure e-commerce platform. Regular security testing has allowed the company to identify and
remediate vulnerabilities proactively, ensuring a safe and secure online shopping experience
for its users.
Conclusion
In this document, we have outlined the various aspects of the WIB Fashion e-commerce
platform's security, providing a comprehensive overview of its features, user types, system
architecture, dependencies, and security standards. We have also defined the scope of the
security audit, detailed security functionality requirements, and presented a threat
modeling document based on the OWASP application threat modeling method.
By adhering to secure coding standards and incorporating the findings from previous security
tests, WIB Fashion demonstrates its commitment to maintaining a high level of security for its
users. The platform's continuous focus on addressing potential vulnerabilities and regularly
updating its security measures ensures that user data and transactions remain protected.
As the platform continues to grow and evolve, it is crucial for WIB Fashion to stay up-to-date
with the latest security trends and best practices. Regular security audits, code reviews, and
testing should be conducted to identify and address any new vulnerabilities that may arise. By
fostering a culture of security awareness and implementing a proactive approach to risk
management, WIB Fashion can continue to provide a secure and reliable e-commerce
platform for its customers and vendors in Addis Ababa, Ethiopia, and beyond.