INSA Security Audit WIB
INSA Security Audit WIB
APRIL 2023 GC
Chapter 1: WIB Fashion Application Description Document
Chapter 2: Defined Scope for the Security Audit
Chapter 3: Security Functionality Document
Chapter 4: Threat Modeling Document using OWASP Application Threat Modeling Method
Chapter 5: Secure Coding Standard Document
Chapter 6: Sample Test User Accounts
Chapter 7: Incident Response Plan
Chapter 8: Data Privacy and Compliance
Chapter 9: Business Continuity and Disaster Recovery Plan
Chapter 10: Security Awareness and Training
Chapter 11: Previous Security Test Reports
Conclusion
Chapter 1: WIB Fashion Application Description
Document
1. Features and Functionalities
WIB Fashion is an e-commerce platform with a mobile app designed to connect multiple vendors
and buyers in Addis Ababa, Ethiopia, and beyond. The platform offers a user-friendly interface,
similar to Shein, with the following features and functionalities:
a. Vendor Management: Enables vendors to create profiles, manage products, track
inventory, and monitor sales performance.
b. Product Catalog: Allows vendors to showcase their products with high-resolution images,
detailed descriptions, and pricing information.
c. Shopping Cart and Checkout: Provides customers with a seamless shopping experience,
including the ability to add items to the cart, review orders, and proceed to a secure checkout
process.
d. Order Management: Facilitates the processing of orders, including order tracking, shipping
updates, and customer support.
e. Payment Processing: Integrates with multiple payment gateways to offer a secure
and convenient payment process for customers.
f. Ratings and Reviews: Allows customers to rate and review products and vendors, fostering
trust and promoting high-quality offerings.
g. User Account Management: Supports account creation, authentication, and management for
customers, vendors, and administrators.
h. Analytics and Reporting: Offers data-driven insights to help vendors and
administrators optimize their business strategies.
2. Actor/User Types
WIB Fashion supports the following actor/user types:
a. Customers: Users who browse, search for, and purchase products from vendors on
the platform.
b. Vendors: Businesses that create profiles, manage products, and fulfill orders for customers.
c. Administrators: Platform managers who oversee vendor and user management, maintain the
site, and ensure its smooth operation.
3. System Architecture
WIB Fashion employs a microservices-based architecture, utilizing the following components: a.
Frontend: Developed using React Native for the mobile app and React for the web application,
ensuring a consistent and responsive user experience.
b. Backend: Built on Node.js and Express.js, providing a scalable and efficient server-
side infrastructure.
c. Database: Leverages MongoDB for a flexible and scalable document-based storage solution.
d. API Gateway: Implemented using AWS API Gateway, enabling secure and
efficient communication between microservices.
e. Load Balancer: Uses AWS Elastic Load Balancing to distribute traffic across
multiple instances, ensuring high availability and fault tolerance.
4. Dependencies, System Minimum Requirements
WIB Fashion relies on the following dependencies and has the specified minimum system
requirements:
a. Frontend: React Native (for mobile app), React (for web application), Redux, Axios, and other
necessary libraries and frameworks.
b. Backend: Node.js, Express.js, and required middleware.
c. Database: MongoDB, including necessary drivers and libraries.
d. API Gateway: AWS API Gateway and associated SDKs.
e. Load Balancer: AWS Elastic Load Balancing.
For optimal performance, the following minimum system requirements are recommended:
a. Mobile App: Android 6.0 or iOS 10 and above.
b. Web Application: Modern web browsers such as Chrome, Firefox, Safari, or Edge.
c. Backend Infrastructure: Server with at least 4 GB of RAM and a multi-core
processor. 5. Implemented Security Standards
WIB Fashion adheres to the following security standards to ensure the highest level of protection
for user data and transactions:
a. Data Encryption: Data is encrypted both in transit (using HTTPS and TLS) and at rest (using
AES-256 encryption).
b. Secure Authentication: Implements multi-factor authentication (MFA) and strong
password policies for all user types.
c. OWASP Top Ten: Regularly audits the application for vulnerabilities listed in the OWASP
Top Ten
The Security Functionality Document outlines the security requirements for WIB Fashion,
derived from industry standards, applicable laws, and a history of past vulnerabilities. These
requirements ensure that the platform maintains a high level of security and protects user data
and transactions.
1. Data Encryption:
a. Encrypt all data in transit using HTTPS and TLS.
b. Encrypt sensitive data at rest using AES-256 encryption.
2. Authentication and Authorization:
a. Implement multi-factor authentication (MFA) for all user types.
b. Enforce strong password policies, including minimum length, complexity, and
expiration. c. Utilize role-based access control (RBAC) to limit access to sensitive
information and functionality.
3. Input Validation and Output Encoding:
a. Validate and sanitize all user inputs to prevent injection attacks.
b. Encode all output data to prevent cross-site scripting (XSS) attacks.
4. Session Management:
a. Generate unique session identifiers for each user session.
b. Expire sessions after a predefined period of inactivity.
c. Implement secure cookie handling with the HttpOnly and Secure flags.
5. Error Handling and Logging:
a. Implement proper error handling to prevent information leakage.
b. Log security-related events and monitor for suspicious activities.
6. Infrastructure Security:
a. Regularly update and patch servers, databases, and other infrastructure components.
b. Implement network segmentation and firewall rules to limit access to sensitive systems. c.
Deploy intrusion detection and prevention systems (IDPS) to monitor and block malicious
activities.
7. API Security:
a. Implement authentication and authorization mechanisms for API access.
b. Validate and sanitize all API inputs to prevent injection attacks.
c. Implement rate limiting to protect against denial of service (DoS) attacks.
8. Data Security and Privacy Compliance:
a. Adhere to applicable data protection laws, such as GDPR and local Ethiopian regulations.
b. Implement data retention and disposal policies in line with legal requirements.
c. Conduct regular privacy impact assessments (PIAs) to identify and mitigate risks to user data.
9. Third-Party Integration Security:
a. Review and monitor the security practices of third-party integrations, such as payment
gateways and shipping providers.
b. Limit the sharing of sensitive data with third parties and ensure data is encrypted during
transit.
10.Incident Response and Recovery:
a. Develop and maintain an incident response plan that outlines procedures for detecting,
containing, and resolving security incidents.
b. Implement regular backups and disaster recovery mechanisms to ensure business continuity in
the event of an incident.
11. Security Training and Awareness:
a. Provide regular security training and awareness programs for developers, administrators, and
vendors.
b. Ensure all stakeholders are informed about the platform's security policies and best practices.
By implementing these security requirements, WIB Fashion can maintain a high level of security
and protect the data and transactions of its users, while complying with industry standards and
applicable laws.
Secure coding standards provide rules and guidelines to prevent security vulnerabilities in
software development. By adhering to these standards, WIB Fashion can prevent, detect, and
eliminate errors that may compromise the security of its e-commerce platform.
1. Input Validation:
a. Always validate and sanitize user input to prevent injection attacks, such as SQL injection
and cross-site scripting (XSS).
b. Use allow-lists to define acceptable input values and reject any input that does not meet
these criteria.
c. Implement server-side validation in addition to client-side validation, as client-side validation
can be bypassed.
2.Output Encoding:
a. Encode all output data to prevent cross-site scripting (XSS) attacks.
b. Use appropriate encoding schemes, such as HTML entity encoding for HTML content or URL
encoding for URL components.
3.Authentication and Session Management:
a. Implement strong password policies, including minimum length, complexity, and
expiration requirements.
b. Use secure password hashing algorithms, such as bcrypt or Argon2, to store user passwords.
c. Generate unique session identifiers and implement secure session handling with the HttpOnly
and Secure flags for cookies.
4. Access Control:
a. Follow the principle of least privilege, granting users the minimum level of access required to
perform their tasks.
b. Implement role-based access control (RBAC) to manage user permissions and access to
sensitive resources.
c. Regularly review and update access control policies to ensure they remain effective.
5. Error Handling and Logging:
a. Implement proper error handling to prevent information leakage and ensure that sensitive
data is not exposed through error messages.
b. Log security-related events, such as failed login attempts and access to sensitive resources,
and monitor logs for suspicious activities.
c. Protect log files from unauthorized access and tampering.
6. Secure Communication:
a. Use HTTPS with TLS to encrypt data in transit and protect against eavesdropping and
man-in-the-middle attacks.
b. Implement proper certificate validation and management, including regular renewal
and revocation checks.
7. Code Review and Security Testing:
a. Conduct regular code reviews to identify and fix security vulnerabilities in the source code.
b. Incorporate security testing into the software development lifecycle, including static and
dynamic analysis, penetration testing, and vulnerability scanning.
8. Patch Management and Dependency Management:
a. Regularly update and patch all software components, including servers, databases, libraries,
and frameworks, to fix known security vulnerabilities.
b. Monitor and review third-party dependencies for security vulnerabilities and update them
as needed.
9. Secure Development Training:
a. Provide ongoing secure development training for developers and other relevant team members
to ensure they are aware of current security risks and best practices.
b. Encourage the use of resources such as the OWASP Top Ten Project and the OWASP Cheat
Sheet Series to stay informed about the latest security threats and mitigation techniques.
By following these secure coding standards, WIB Fashion can minimize the risk of security
vulnerabilities and maintain a robust and secure e-commerce platform for its users.
To facilitate the security testing process, the following sample test user accounts have been
created for each user type, except for the administrator. These accounts will be used by the
security testing team to perform various tests and assessments on the WIB Fashion e-commerce
platform.
● Client user
● Email : [email protected]
● Pass : Ljv6QXXYqQ5I
● Delivery user
● Email : [email protected]
● Pass : 7uxs8$Whkb5U
Please note that these accounts have limited access and do not have any elevated privileges. The
security testing team is expected to use these accounts responsibly and in accordance with the
agreed-upon testing guidelines. Additionally, ensure that the passwords for these test accounts
are shared securely with the testing team to prevent unauthorized access.
Upon completion of the security test, it is recommended to deactivate or delete these test
accounts to prevent any potential misuse. Regular monitoring and auditing of user accounts
should be performed to maintain the security and integrity of the WIB Fashion e-commerce
platform.
The Incident Response Team (IRT) is responsible for managing security incidents
and coordinating the response efforts. Key members of the IRT include:
a. Incident Response Manager: Responsible for leading the response efforts, coordinating
team members, and communicating with stakeholders.
b. IT Security Analysts: Responsible for investigating the incident, identifying the root cause,
and recommending remediation measures.
c. Legal and Compliance Representatives: Responsible for ensuring adherence to legal and
regulatory requirements, and assessing potential liabilities.
d. Public Relations/Communications Representatives: Responsible for managing
external communications and public announcements.
3. Incident Reporting
4. Incident Containment
a. The IRT should conduct a thorough investigation to identify the root cause of the
incident, the extent of the damage, and any potential vulnerabilities that need to be addressed.
b. The investigation may involve analyzing logs, reviewing source code, or
conducting interviews with affected users or staff.
a. Based on the investigation findings, the IRT should develop and implement a plan to
recover and restore affected systems, services, and data.
b. Remediation measures may include patching vulnerabilities, updating software,
or implementing new security controls.
7. Incident Closure and Lessons Learned
a. Once the incident has been resolved, the IRT should formally close the incident
and document the incident details, response actions, and outcomes.
b. Conduct a post-incident review to identify lessons learned and opportunities for
improvement, including updates to the Incident Response Plan, security policies, or employee
training programs.
a. Maintain regular communication with internal and external stakeholders, including senior
management, employees, vendors, customers, and regulatory authorities as required.
b. Communicate the status of the incident response efforts, as well as any potential impacts
or risks, in a timely and transparent manner.
By having a comprehensive Incident Response Plan in place, WIB Fashion can respond
effectively to security incidents, minimize their potential impact, and maintain the trust
and confidence of its users and partners.
WIB Fashion is committed to protecting the privacy and security of its users' personal
information. This document outlines how WIB Fashion complies with data protection regulations
such as GDPR, CCPA, and any local Ethiopian privacy laws. It includes information on data
retention policies, data subject rights, and privacy notices.
a. WIB Fashion retains personal data for as long as necessary to fulfill the purposes for which
it was collected or to comply with legal, regulatory, or contractual requirements.
b. Once the data is no longer needed, it is securely deleted or anonymized in accordance
with industry best practices and applicable regulations.
a. WIB Fashion ensures that users can exercise their data protection rights, including the right
to access, rectify, erase, restrict processing, or object to processing of their personal data.
b. Users can submit requests to exercise their rights through a designated email address,
customer support form, or by contacting WIB Fashion's Data Protection Officer.
c. WIB Fashion processes user requests within the timeframes specified by applicable
regulations.
4. Privacy Notices
a. WIB Fashion provides clear and transparent privacy notices to its users, informing them
about the types of personal data collected, the purposes for which it is processed, and their rights
under applicable data protection laws.
b. Privacy notices are provided at the point of data collection and are easily accessible on the
WIB Fashion website and mobile app.
5. Data Security
6. Data Transfers
a. WIB Fashion ensures that any transfer of personal data to third parties or across borders
complies with applicable data protection regulations, including the use of standard contractual
clauses or other lawful transfer mechanisms.
a. WIB Fashion engages third-party processors and vendors that adhere to the same
data protection standards and requirements as WIB Fashion.
b. Agreements with these third parties include provisions for data privacy and security, as
well as requirements for reporting and managing data breaches or incidents.
a. WIB Fashion regularly monitors and reviews its data privacy and compliance program
to ensure ongoing adherence to applicable regulations and best practices.
b. Any changes or updates to data protection regulations or requirements are promptly
assessed and integrated into WIB Fashion's policies and procedures.
By implementing robust data privacy and compliance measures, WIB Fashion demonstrates its
commitment to protecting the personal information of its users and ensuring the security and
trustworthiness of its e-commerce platform.
Chapter 9: Business Continuity and
Disaster Recovery Plan
WIB Fashion's Business Continuity and Disaster Recovery Plan (BCDRP) outlines the
procedures and processes for maintaining or resuming business operations in the event of a
disruptive incident, such as a natural disaster, cyber attack, or system failure. The plan aims to
minimize the impact of such incidents on WIB Fashion's e-commerce platform, its users, and
its business partners.
a. Identify and prioritize the critical business functions, processes, and systems that
support WIB Fashion's e-commerce platform.
b. Assess the potential impact of various disruptive incidents on these critical elements,
a. Identify and assess potential risks and threats to WIB Fashion's critical business
functions, processes, and systems.
b. Implement appropriate risk mitigation measures, such as redundant infrastructure,
data backups, and emergency power supplies.
4. Recovery Strategies
a. Develop recovery strategies for each critical business function, process, and system
identified in the BIA, considering factors such as Recovery Time Objectives (RTOs)
and Recovery Point Objectives (RPOs).
b. Implement appropriate recovery solutions, such as data replication, alternative
processing sites, or backup service providers.
a. Develop and document detailed Business Continuity Plans (BCPs) for each critical business
function, process, and system, outlining the steps and resources needed to maintain or resume
operations following a disruptive incident.
b. Ensure that BCPs address key aspects such as communication, resource allocation, and
coordination with external partners and stakeholders.
a. Develop and document detailed Disaster Recovery Plans (DRPs) for each critical business
function, process, and system, outlining the steps and resources needed to restore IT systems,
data, and infrastructure following a disruptive incident.
b. Ensure that DRPs address key aspects such as data recovery, system restoration,
and infrastructure repair or replacement.
a. Provide regular training and awareness programs for employees and partners on the
BCDRP, including their roles and responsibilities in the event of a disruptive incident.
b. Conduct regular exercises and drills to test and validate the BCDRP, identify gaps
or weaknesses, and improve overall preparedness and resilience.
a. Regularly review and update the BCDRP to ensure that it remains relevant and effective
in the face of changing business requirements, technologies, and threats.
b. Incorporate lessons learned from actual incidents, exercises, and industry best practices into
the BCDRP to continuously improve its effectiveness.
By having a comprehensive Business Continuity and Disaster Recovery Plan in place, WIB
Fashion can enhance its resilience to disruptive incidents, minimize the potential impact on its
e-commerce platform and users, and ensure the continuity of its business operations.
A robust security awareness and training program is essential for ensuring the security of WIB
Fashion's e-commerce platform. This document outlines the security awareness and training
program for employees, including the topics covered, frequency of training, and methods of
delivery.
1. Training Objectives
2. Topics Covered
a. Security policies and procedures, including the acceptable use of systems and data, password
management, and incident reporting.
b. Common security threats and attack vectors, such as phishing, social engineering, and
malware.
c. Secure coding practices, including input validation, error handling, and secure data storage.
d. Data privacy and compliance, including the handling of personal information and the
requirements of applicable regulations.
e. Incident response and business continuity planning, including employee roles and
responsibilities during a security incident or disruptive event.
f. Physical security measures, such as access controls, visitor management, and the
protection of sensitive areas and assets.
3. Frequency of Training
a. New employees should receive security awareness training as part of their onboarding
process.
b. Existing employees should receive refresher training at least annually, or more frequently
as needed based on changes in the threat landscape or the organization's security policies and
procedures.
c. Additional, targeted training should be provided to employees with specific security
responsibilities or roles, such as developers, system administrators, or incident responders.
4. Methods of Delivery
a. Assess the effectiveness of the security awareness and training program through regular
evaluations, such as surveys, quizzes, or feedback sessions.
b. Use evaluation results to identify areas for improvement, update training materials, and
tailor the program to the organization's specific needs and challenges.
c. Monitor security incidents, policy violations, and other relevant metrics to measure the
impact of the training program on employee behavior and the overall security posture of
the organization.
WIB Fashion has a history of conducting regular security tests to ensure the safety and security
of its e-commerce platform. The following is a summary of previous security test reports,
highlighting the significant findings and remediation efforts taken.
These previous security test reports demonstrate WIB Fashion's commitment to maintaining a
secure e-commerce platform. Regular security testing has allowed the company to identify and
remediate vulnerabilities proactively, ensuring a safe and secure online shopping experience
for its users.
Conclusion
In this document, we have outlined the various aspects of the WIB Fashion e-commerce
platform's security, providing a comprehensive overview of its features, user types, system
architecture, dependencies, and security standards. We have also defined the scope of the
security audit, detailed security functionality requirements, and presented a threat
modeling document based on the OWASP application threat modeling method.
By adhering to secure coding standards and incorporating the findings from previous security
tests, WIB Fashion demonstrates its commitment to maintaining a high level of security for its
users. The platform's continuous focus on addressing potential vulnerabilities and regularly
updating its security measures ensures that user data and transactions remain protected.
As the platform continues to grow and evolve, it is crucial for WIB Fashion to stay up-to-date
with the latest security trends and best practices. Regular security audits, code reviews, and
testing should be conducted to identify and address any new vulnerabilities that may arise. By
fostering a culture of security awareness and implementing a proactive approach to risk
management, WIB Fashion can continue to provide a secure and reliable e-commerce
platform for its customers and vendors in Addis Ababa, Ethiopia, and beyond.