30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

We are going to outsource the technical operation of gTLD to our partner company Gransy s.r.o.. This company is ICANN accredited registrar.
Our future co-operation is affirmed in the Letter of Confirmation, which is attached to this questionnaire just as reference to the Gransy company.
We comply with the following ISO standards: 9001, 27001, 20000, 14001. The copies of certificates are in attachments:

ʺLetter of Confirmation.pdfʺ
ʺISO 14001_EN.JPEGʺ
ʺISO 14001_EN.pdfʺ
ʺISO 20000_EN.pdfʺ
ʺISO 20000_EN_USY.pdfʺ
ʺISO 27001_EN.pdfʺ
ʺISO 27001_EN_USY.pdfʺ
ʺISO 9001_EN.pdfʺ

Security testing, in addition to functional and load testing, is one of the three pillars of the entire process of ensuring
software quality. It is a discipline whose aim is to continuously verify the quality of the security system. It focuses, in
particular, on the detection of vulnerabilities that allow an attacker to get illegally to the data through user interface,
respectively to manipulate the system in contrary to its original purpose.
In order to assess the safety parameters of a complex information system is monitoring and analyze the quality of static code without its execution and then the behavior of the code when the application is running.
Basically, these tests are known as static (static application security testing - SAST) and dynamic (dynamic application security testing - DAST) tests. Static tests consist, in particular, of routine review ⁄ control code and static analysis of code. Dynamic tests will be subdivided into whitebox (with knowledge of code ⁄ system structure) and blackbox (without prior knowledge of the system).
Whiteboxis testing and static analysis of the code is performed together and is closely related. The various types of tests are carried out in other phases of software development and different methods are applied to them. Each of them covers a different group of errors and that is why it is necessary to not to neglect one of them, and outputs are mutually correlated.

Type of test Goal (types of vulnerabilities discovered):

Code review - Expertise verification of the code in order to discover vulnerabilities as unused pieces of code, code not
related with the business functionality (utilities for developers, possibly backdoors) etc.

Static code analysis - Syntactic and typing errors, hard-coding of definitions of constants, lack of input validation (e.g. use of regular expressions), use of methods and classes generally considered unsafe (obsolete⁄deprecated classes)

Whitebox testing - Vulnerabilities as SQL injection, code injection. Information Leakage and Improper error handling,
insecure direct object reference etc.

Blackbox testing - Cross-Site Scripting, Cross Site Request Forgery, HTTP Response Splitting, parameter tampering, Hidden Field Manipulation, any attempt to use debugging options, Application Buffer Overflow, Cookie Poisoning, SQL Injection, session fixation and others.
Types of vulnerabilities discovered with whitebox and blackbox testing are similar, so there we will execute both types of
tests to reduce the number of false positives and false negatives.
Our security tests can detect errors already during the development and thus significantly reduce the cost of its eradication, but this does not affect the role of penetration tests.
Penetration tests are still needed as they are usually performed on a finished and running system and covers not only the application layer, but also the infrastructure. Our penetration tests are independent (which is not the case whith security testing, which can be performed directly by the development team). That means that penetration tests are still works as the independent audit of overall level of the system security. It can detect also other types of vulnerabilities, e.g. handling of user accounts, securing of the communication channels etc.
So the penetration testing will be supported by Symantec Vulnerability manager for infrastructure vulnerability scanning.

Similar gTLD applications: (0)