COM-09: Annual External Scanning by Third Party

Control Description

On an annual basis, external scanning is performed by a third party for all internet-facing infrastructure to detect new and unknown vulnerabilities. Remediation of all critical/high vulnerabilities is tracked within a ticketing system and is completed within X business days.

Plain Meaning

This control requires engaging an independent third-party vendor to conduct comprehensive vulnerability scans of all internet-facing systems and infrastructure once per year. The third-party scanner should identify security weaknesses that could be exploited from outside the network. When critical or high-severity vulnerabilities are found, they must be documented in a ticketing system and remediated within a specified timeframe.

External Scanning Solutions

Primary Tools: OWASP ZAP, Snyk, and WAF

We utilize a comprehensive external scanning approach combining multiple specialized tools to ensure thorough coverage of our internet-facing infrastructure:

1. OWASP ZAP (Zed Attack Proxy)

Purpose: Web application security testing and vulnerability assessment

Capabilities:

• Automated Scanning: Spider and AJAX Spider for comprehensive crawling
• Active Scanning: Automated vulnerability testing with configurable policies
• Passive Scanning: Real-time vulnerability detection during browsing
• API Testing: REST and GraphQL API security assessment
• Custom Scripts: Tailored attack scenarios for specific applications

Configuration:

zap_configuration:
  context:
    name: "Production Web Applications"
    description: "External scanning context for production web apps"
  
  spider:
    max_depth: 10
    max_children: 100
    accept_cookies: true
    
  active_scan:
    policy: "Default Policy"
    max_rule_duration: 5
    max_scan_duration: 60
    
  api_scan:
    endpoints: ["/api/v1/*", "/graphql"]
    authentication: "Bearer Token"
    rate_limiting: true

2. Snyk Security Platform

Purpose: Dependency vulnerability scanning and container security assessment

Capabilities:

• Dependency Scanning: Automated detection of vulnerable dependencies
• Container Security: Docker image vulnerability assessment
• Infrastructure as Code: Terraform and CloudFormation security scanning
• License Compliance: Open source license risk assessment
• CI/CD Integration: Automated scanning in development pipelines

Integration Points:

snyk_configuration:
  projects:
    - name: "Web Application Dependencies"
      path: "./package.json"
      type: "npm"
    - name: "Container Images"
      path: "./Dockerfile"
      type: "docker"
    - name: "Infrastructure Code"
      path: "./terraform/"
      type: "terraform"
  
  policies:
    fail_on: "high"
    auto_fix: false
    ignore_patterns: ["test/*", "dev/*"]

3. Web Application Firewall (WAF)

Purpose: Real-time protection and automated attack simulation

Capabilities:

• Automated Attack Testing: Simulated attacks to validate WAF effectiveness
• Real-time Protection: Blocking malicious traffic and attacks
• Rate Limiting: Protection against DDoS and brute force attacks
• Custom Rules: Application-specific security rules
• Threat Intelligence: Integration with threat feeds

Automated Test Attacks:

waf_automated_tests:
  sql_injection:
    enabled: true
    frequency: "weekly"
    patterns:
      - "' OR '1'='1"
      - "'; DROP TABLE users; --"
      - "UNION SELECT * FROM users"
  
  xss_attacks:
    enabled: true
    frequency: "weekly"
    patterns:
      - "<script>alert('XSS')</script>"
      - "javascript:alert('XSS')"
      - "<img src=x onerror=alert('XSS')>"
  
  path_traversal:
    enabled: true
    frequency: "weekly"
    patterns:
      - "../../../etc/passwd"
      - "..\\..\\..\\windows\\system32\\config\\sam"
  
  command_injection:
    enabled: true
    frequency: "weekly"
    patterns:
      - "; ls -la"
      - "| whoami"
      - "&& cat /etc/passwd"

Annual External Scanning Schedule

Q1: Planning and Preparation (January-March)

• Week 1-2: Tool configuration and policy updates
• Week 3-4: Scope definition and stakeholder coordination
• Week 5-6: Pre-scan baseline assessment
• Week 7-8: Test environment validation

Q2: Primary Scanning Phase (April-June)

• Week 1-2: OWASP ZAP comprehensive web application scanning
• Week 3-4: Snyk dependency and container scanning
• Week 5-6: WAF automated attack testing and validation
• Week 7-8: Manual penetration testing by third-party vendor

Q3: Analysis and Remediation (July-September)

• Week 1-2: Findings analysis and severity classification
• Week 3-4: Remediation planning and resource allocation
• Week 5-6: Critical and high vulnerability remediation
• Week 7-8: Medium and low vulnerability remediation

Q4: Validation and Reporting (October-December)

• Week 1-2: Remediation validation and retesting
• Week 3-4: Final report generation and executive review
• Week 5-6: Process improvement and lessons learned
• Week 7-8: Annual planning for next year's scanning

Scanning Scope and Coverage

Internet-Facing Infrastructure

• Web Applications: All production web applications and APIs
• Load Balancers: Application Load Balancers and Network Load Balancers
• CDN Endpoints: CloudFront distributions and edge locations
• Public APIs: REST and GraphQL API endpoints
• Container Registries: ECR repositories and container images
• Storage Buckets: S3 buckets with public access

Testing Categories

OWASP ZAP Testing

• OWASP Top 10: All current OWASP Top 10 vulnerabilities
• Custom Scenarios: Application-specific attack vectors
• Authentication Testing: Login bypass and session management
• Authorization Testing: Privilege escalation and access control
• Input Validation: SQL injection, XSS, and command injection
• Business Logic: Application-specific business logic flaws

Snyk Testing

• Dependency Vulnerabilities: Known CVEs in dependencies
• Container Vulnerabilities: Base image and application layer issues
• License Compliance: Open source license risks
• Infrastructure Security: IaC security misconfigurations
• Secret Detection: Hardcoded secrets and credentials

WAF Automated Testing

• Attack Simulation: Automated attack pattern testing
• Rule Validation: WAF rule effectiveness verification
• Performance Testing: WAF performance under attack conditions
• False Positive Analysis: WAF rule tuning and optimization

Vulnerability Classification and Remediation

Critical Vulnerabilities (Remediation: 24 hours)

• Remote Code Execution: Unauthenticated RCE vulnerabilities
• SQL Injection: Direct database access vulnerabilities
• Authentication Bypass: Complete authentication bypass
• Data Exposure: Sensitive data exposure to unauthorized users

High Severity Vulnerabilities (Remediation: 72 hours)

• Stored XSS: Persistent cross-site scripting vulnerabilities
• Privilege Escalation: Unauthorized privilege escalation
• Information Disclosure: Sensitive information disclosure
• Weak Authentication: Weak password policies or session management

Medium Severity Vulnerabilities (Remediation: 1 week)

• Reflected XSS: Non-persistent cross-site scripting
• CSRF: Cross-site request forgery vulnerabilities
• Directory Traversal: Path traversal vulnerabilities
• Security Misconfigurations: Configuration-related security issues

Low Severity Vulnerabilities (Remediation: 2 weeks)

• Information Disclosure: Non-sensitive information disclosure
• Version Disclosure: Software version information exposure
• Missing Security Headers: Security header configuration issues
• Deprecated Features: Use of deprecated or insecure features

Third-Party Vendor Requirements

Vendor Selection Criteria

• Certifications: ISO 27001, SOC 2 Type II, or equivalent
• Experience: Minimum 5 years in web application security testing
• Methodology: OWASP Testing Guide compliance
• Reporting: Comprehensive reporting with actionable recommendations
• References: Positive client references and case studies

Vendor Responsibilities

• Scope Definition: Detailed scope and testing methodology
• Testing Execution: Professional penetration testing services
• Finding Validation: Verification of all reported vulnerabilities
• Report Generation: Comprehensive technical and executive reports
• Remediation Support: Guidance on vulnerability remediation

Internal Coordination

• Project Management: Dedicated project manager for vendor coordination
• Technical Liaison: Technical contact for testing coordination
• Stakeholder Communication: Regular updates to stakeholders
• Escalation Procedures: Clear escalation paths for critical findings

Reporting and Compliance

Technical Reports

• Executive Summary: High-level findings and risk assessment
• Detailed Findings: Technical details for each vulnerability
• Remediation Guidance: Specific remediation steps and recommendations
• Risk Assessment: Business impact and risk prioritization
• Trend Analysis: Comparison with previous year's findings

Compliance Evidence

• Scanning Logs: Complete logs from all scanning tools
• Vendor Reports: Third-party vendor assessment reports
• Remediation Records: Documentation of all remediation activities
• Validation Evidence: Proof of vulnerability remediation
• Process Documentation: Scanning methodology and procedures

Continuous Monitoring

• Automated Scanning: Continuous automated vulnerability scanning
• Real-time Alerts: Immediate notification of new vulnerabilities
• Trend Analysis: Ongoing analysis of vulnerability trends
• Process Improvement: Continuous improvement of scanning processes

Related Links

Tool Documentation

• OWASP ZAP User Guide
• Snyk Documentation
• AWS WAF Documentation

Standards and Frameworks

• OWASP Testing Guide
• OWASP Top 10
• NIST Cybersecurity Framework

Internal Resources

• Network Architecture
• Vulnerability Management
• Security Incident Response