http://website.isecpartners.com/isr_independent_security_report en http://website.isecpartners.com/publicly_available_independent_security_reports <p><a href="/files/Juniper_IVE_iSR_v5.pdf">Juniper Networks</a><br /> <a href="/files/iSR-Japanese.pdf">Juniper Networks (Japanese version)</a><br /> <a href="/files/iSEC_Macromedia_Activation_White_Paper.pdf">Macromedia</a><br /> <a href="/files/WebEx_OnDemandTraceReport.pdf">WebEx Communications</a></p> <p>Companies often have functionality that needs to be established as consistent with industry standards. Others may have security features that need to be highlighted as differentiators in their industry. Almost all businesses need to verify to their auditors and customers that an independent security assessment has been performed.</p> <p>However, budgets and schedules rarely support a comprehensive security review of an entire product or service. To this end, iSEC Partners has developed a methodology for conducting ongoing security assessments that are focused on:</p> <ul> <li>Creating an Independent Security Report (iSR) that highlights the validation testing of “security assertions”</li> <li>Assessing high-risk components</li> <li>Conducting tests that address questions raised in most vendor security questionnaires</li> <li>Creating a process for ongoing security QA while satiating the needs of security, product development and marketing teams</li> </ul> <p>iSEC Partners’ Security Assurance Program is an iterative process that provides a practical view of what a motivated attacker might accomplish. iSEC Partners conducts assessments that model specific threat scenarios, identify vulnerabilities, and enumerate exploitation possibilities. While the testing methodology is flexible, each assessment includes – at a minimum – the following processes:</p> <ul> <li>Documentation review</li> <li>Developer interviews</li> <li>Threat modeling</li> <li>Design review of new features and functions</li> <li>Active testing of mutually agreed upon features and functions</li> <li>Review of changes made to fix vulnerabilities identified in previous releases</li> <li>Manual and automated penetration testing</li> <li>Code review (where necessary for validation)</li> <li>Validation testing of “security assertions” for inclusion in the Independent Security Report (iSR)</li> </ul> <p>iSEC Partners’ iSR provides high-level information about the ongoing process to improve security and more specific information about tests conducted against specific features. iSEC Partners believes the independent review of security assertions provides the following benefits:</p> <ul> <li>Customers and prospective customers benefit from validation of specific assertions made by the product and visibility into the ongoing security assessment process</li> <li>Our Clients receive the iSR that can be used proactively in their sales processes. They also benefit from consistent and recurring recommendations for improving the security of their product. This predictable and consistent review is much more efficiently folded into the development process than ad hoc security reviews conducted when budgets allow and customers demand.</li> <li>Venture Companies and individual investors benefit from the knowledge that the company and product they have invested in - or are evaluating for funding – have an ongoing security assessment process</li> </ul> <br class="clear" /> Tue, 01 May 2007 04:21:01 -0700 anastasia 216 at http://website.isecpartners.com