Security Risk Assessment
This document outlines the security standards and pentesting activities performed at Botium.
Please contact us for more detailed information.
All Botium products are regularly subjected to various security audits and pentests
The focal points are:
- Continuous in-house testing of our services with established security testing tools (corresponding reports can be provided)
- Cloud providers of our choice (AWS, Azure, IBM) in our SaaS offer regularly carry out pen tests of their infrastructure
- Support for clients if additional pentests are required
The methodology for penetration tests is inspired by OWASP standards and follows the steps described below. It's regularly updated based on new attack techniques and vulnerabilities that are discovered. The infrastructure penetration test methodology is aligned with NIST recommendations.
All typical tests outlined in the OWASP Testing Guide (V4) are performed including but not limited to:
- Configuration and Deployment Management Testing
- Identity Management Testing
- Authentication and Authorization Testing
- Testing of the Session Management
- Input Validation Testing
- Testing for Error Handling
- Testing for weak Cryptography
- Business Logic Testing and Client Side Testing
The following tests are continuously performed by a vulnerability scanner:
- Fingerprinting the server software and technology... ✅
- Checking for vulnerabilities of server-side software... ✅
- Analyzing HTTP security headers... ✅
- Checking for secure communication... ✅
- Checking robots.txt file... ✅
- Checking client access policies... ✅
- Checking for clear-text submission of passwords... ✅
- Searching for sensitive files... ✅
- Checking for interesting files... ✅
- Checking for information disclosure... ✅
- Checking for software identification... ✅
- Checking for administration consoles... ✅
- Spidering target... ✅
- Scanning for XSS vulnerabilities... ✅
- Scanning for SQL Injection vulnerabilities... ✅
- Scanning for File Inclusion vulnerabilities... ✅
- Scanning for OS Command Injection vulnerabilities... ✅
- Scanning for passive vulnerabilities... ✅
The Botium incident management plan is divided into the following phases:
- Analysis and Identification
- Lessons Learned
System and Application Patches
The release plan of all Botium products foresees a monthly deployment. In addition, weekly hotfix deployments are planned to be used on demand for application patches.
Operating system patches are carried out following cloud provider security guidelines.
User Access Management
All Botium products come with out of the box support for Google Login and Active Directory (LDAP). Furthermore, they provide an integrated user, role and permission management.
Auditing User Access
Botium does not record detailed audits of user activity, with the following exceptions:
- For each user, the last login date and time is recorded and persisted
- For all database records, the date, time and user that created the record is persisted
- For all database records, the date, time and user that made the last change to the record is persisted
For our SaaS clients, please contact us for discussing and configuration of Single-Sign-On, as there are infrastructure requirements on your side involved.
Botium provides products and services for clients in all domains where every business area comes with its own certifications. Therefore we have refrained from permanently feeding the security certifications machine that would drive up our product prices drastically. Instead we get certified on clients’ demand and needs.
Botium Box is using Amazon RDS as structured storage and Amazon EFS as object/binary/file storage.
This can be tailored by client needs to a certain extent. Meaning that they can choose where they want to store their data. Including the desired cloud provider (AWS, Azure, IBM) and the geographical location of the server by country, city and region. E.g.: AWS region “eu-west-1” (Europe, Ireland).
All data is stored in the private cloud or on physical servers of the client.
The encryption of data within Botium environments
Encrypting data in transit
Botium Box user interface is HTTPS-encrypted with Let's Encrypt certificates, which are renewed automatically all 3 months.
Encrypting data at rest
Structured data with Amazon RDS (including snapshots) - see Amazon RDS documentation
Object/Binary/File storage with Amazon EFS - see Amazon EFS documentation
Logs and Backups with Wasabi - seeWasabi documentation
All data is stored in the private cloud or on physical servers of the client and subjected to the invididual encryption settings.
Botium products do not process any personal data. If desired, all tools can be operated using default users like “admin” or “guest”.
Botium products are saving system logs to support clients in case of problems. All log data gets automatically deleted after two weeks.
Data Breach Notification
The data breach notification procedure is based on the following steps:
- Breach detection
- Risk assessment
- High or serve-risk assessment result
- Notification an provision of information
- Document and record
Secure Development Practices
Secure development practices implemented in all Botium environments are shared within the teams through:
- Peer programming sessions
- Weekly knowledge sharings
- Secure coding workshops
- Regular code reviews
- Vulnerability scans
Recovery and Disaster plan
- Botium Box has daily snapshots of structure storage and file storage and keeps it for 2 weeks
- All Saas instances can be rolled back to a snapshot of a certain date within the last 2 weeks
- Outage during disaster recovery will take up to 12 hours
Client is responsible for recovery.