Skip to content

Security Risk Assessment

This document outlines the security standards and pentesting activities performed at Botium.

Please contact us for more detailed information.

Note

All Botium products are regularly subjected to various security audits and pentests

Security Strategy

The focal points are:

  1. Continuous in-house testing of our services with established security testing tools (corresponding reports can be provided)
  2. Cloud providers of our choice (AWS, Azure, IBM) in our SaaS offer regularly carry out pen tests of their infrastructure
  3. Support for clients if additional pentests are required

Pentest Methodology

The methodology for penetration tests is inspired by OWASP standards and follows the steps described below. It's regularly updated based on new attack techniques and vulnerabilities that are discovered. The infrastructure penetration test methodology is aligned with NIST recommendations.

All typical tests outlined in the OWASP Testing Guide (V4) are performed including but not limited to:

  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication and Authorization Testing
  • Testing of the Session Management
  • Input Validation Testing
  • Testing for Error Handling
  • Testing for weak Cryptography
  • Business Logic Testing and Client Side Testing

The following tests are continuously performed by a vulnerability scanner:

  • Fingerprinting the server software and technology... ✅
  • Checking for vulnerabilities of server-side software... ✅
  • Analyzing HTTP security headers... ✅
  • Checking for secure communication... ✅
  • Checking robots.txt file... ✅
  • Checking client access policies... ✅
  • Checking for clear-text submission of passwords... ✅
  • Checking for JavaScript vulnerabilities... ✅
  • Searching for sensitive files... ✅
  • Checking for interesting files... ✅
  • Checking for information disclosure... ✅
  • Checking for software identification... ✅
  • Checking for administration consoles... ✅
  • Spidering target... ✅
  • Scanning for XSS vulnerabilities... ✅
  • Scanning for SQL Injection vulnerabilities... ✅
  • Scanning for File Inclusion vulnerabilities... ✅
  • Scanning for OS Command Injection vulnerabilities... ✅
  • Scanning for passive vulnerabilities... ✅

Incident Management

The Botium incident management plan is divided into the following phases:

  1. Preparation
  2. Analysis and Identification
  3. Containment
  4. Eradication
  5. Rovervy
  6. Lessons Learned

System and Application Patches

The release plan of all Botium products foresees a monthly deployment. In addition, weekly hotfix deployments are planned to be used on demand for application patches.

Operating system patches are carried out following cloud provider security guidelines.

User Access Management

All Botium products come with out of the box support for Google Login and Active Directory (LDAP). Furthermore, they provide an integrated user, role and permission management.

Auditing User Access

Botium does not record detailed audits of user activity, with the following exceptions:

  • For each user, the last login date and time is recorded and persisted
  • For all database records, the date, time and user that created the record is persisted
  • For all database records, the date, time and user that made the last change to the record is persisted

Single-Sign-On (SSO)

Single-Sign-On itself is based on lots of different protocols. Leading technologies like SAML2, Google Auth and LDAP are already supported, others may need some customization.

Note

For our SaaS clients, please contact us for discussing and configuration of Single-Sign-On, as there are infrastructure requirements on your side involved.

Security Certifications

Botium provides products and services for clients in all domains where every business area comes with its own certifications. Therefore we have refrained from permanently feeding the security certifications machine that would drive up our product prices drastically. Instead we get certified on clients’ demand and needs.

Data Storage

SaaS

Botium Box is using Amazon RDS as structured storage and Amazon EFS as object/binary/file storage.

Note

This can be tailored by client needs to a certain extent. Meaning that they can choose where they want to store their data. Including the desired cloud provider (AWS, Azure, IBM) and the geographical location of the server by country, city and region. E.g.: AWS region “eu-west-1” (Europe, Ireland).

On-Premise

All data is stored in the private cloud or on physical servers of the client.

Data Encryption

SaaS

The encryption of data within Botium environments

Encrypting data in transit

Botium Box user interface is HTTPS-encrypted with Let's Encrypt certificates, which are renewed automatically all 3 months.

Encrypting data at rest

Structured data with Amazon RDS (including snapshots) - see Amazon RDS documentation

Object/Binary/File storage with Amazon EFS - see Amazon EFS documentation

Logs and Backups with Wasabi - seeWasabi documentation

On-Premise

All data is stored in the private cloud or on physical servers of the client and subjected to the invididual encryption settings.

Personal Data

Botium products do not process any personal data. If desired, all tools can be operated using default users like “admin” or “guest”.

Log Data

Botium products are saving system logs to support clients in case of problems. All log data gets automatically deleted after two weeks.

Data Breach Notification

The data breach notification procedure is based on the following steps:

  1. Breach detection
  2. Risk assessment
  3. High or serve-risk assessment result
  4. Notification an provision of information
  5. Document and record

Secure Development Practices

Secure development practices implemented in all Botium environments are shared within the teams through:

  • Peer programming sessions
  • Weekly knowledge sharings
  • Secure coding workshops
  • Regular code reviews
  • Vulnerability scans

Recovery and Disaster plan

SaaS

  • Botium Box has daily snapshots of structure storage and file storage and keeps it for 2 weeks
  • All Saas instances can be rolled back to a snapshot of a certain date within the last 2 weeks
  • Outage during disaster recovery will take up to 12 hours

On-Premise

Client is responsible for recovery.