Professional Documents
Culture Documents
FOR
SECURITY SERVICES
SUBMITTED TO
SUBMITTED BY
MUTHUKUMAR M
JUN 2020
Security Proposal Confidential
STATEMENT OF CONFIDENTIALITY
I, Muthukumar M submits the enclosed information to Alpha Group of Institutions for the purpose of
evaluation of services offered. The information contained in this document, in its entirety, is considered
both confidential and proprietary and may not be copied or disclosed to any other party without prior
written consent . This document is not intended to create a binding agreement between the parties; such
an agreement shall be reflected only by a definitive contract, signed and delivered.
Muthukumar’s Competency
Muthukumar M ECSA, CEH, ISO 27K LA, ITIL V@3, CCSA certified information security
professional with 12+ years of experience in Vulnerability Assessment (management) and Penetration
Testing (VA/PT), Security Operations and Engineering(SOC, NOC) , Security Testing , ISO 27001 Audit,
ITSM Audits , PCI DSS Compliance , BCP & DRP , Risk Management and Compliance.
An ISO 27001 Information Security Management LA certified professional with an overall experience in
both Information Security and IT service Management.
IT professional with extensive experience in the engineering, architecture, administration and support of
information security systems. In-depth expertise in the implementation, analysis, optimization,
troubleshoot and documentation of various security products and policies.
Track record for diagnosing complex problems and delivering effective solution. Areas of expertise
include Global consulting, project management and delivery.
A dynamic result-oriented leader with expertise in devising & managing internal controls aimed at
enhancing overall Information security, organizational compliance posture and policies and process
improvements & excellence
Hands on experience in Vulnerability Assessment and Penetration Testing, mobile application testing,
SOC, ITSM audits, ISO 27K Implementation and PCI DSS
CONTENTS
3.ACTIVITIES…………………….. ...................................................................................................................... 5
3.METHODOLOGY ............................................................................................................................................. 6
4.DELIVERABLES .............................................................................................................................................. 9
5.COMMERCIAL ............................................................................................................................................... 10
Alpha Group of Institutions has scripted success stories and has created new benchmarks in the field of
education. Over the last 50 years, millions of students have passed out of the portals of the Group’s
institutions and have done the school and the country proud by having successful careers. Many are
serving in various Civil Services like IAS, IFS, IRS etc and several hold key positions in top corporates.
Under the aegis of Alpha Educational Society, the Alpha Group presently runs seven educational
institutions offering State, National and International curricula at its various centres.
The institutions are professionally managed under the committed supervision of the Group’s Chairperson,
Dr. Mrs. Grace George and Vice Chairperson, Mrs. Suja George. The Alpha schools offer CBSE
curriculum at CIT Nagar and Porur. International Cambridge curriculum along with CBSE is offered at our
Sembakkam campus. We also offer the Matriculation Higher Secondary School Certificate (Std XII) at
Sembakkam and CIT Nagar.
2. SCOPE OF WORK
Sonata understands that the customer wants to conduct an Application Security Assessment of their
webaite
https://www.alphagroup.edu/
3. Activities
Phase 1
testing https://www.alphagroup.edu/
3. METHODOLOGY
The Remote Penetration testing will be performed in accordance with the following leading International
security standards:
The Open Source Security Testing Methodology (OSSTM) provides a standardized approach to a
thorough information security testing. It sets forth a set of rules and guidelines for effective
penetration testing, vulnerability assessments and information security analysis, including the use
of open source testing tools for the standardization of security testing and the improvement of
automated vulnerability testing tools.
ISO 27000-1 for security process audit. This standard defines a set of accepted guidelines for
developing enterprise level security controls. It forms a basis for instituting best practices for
information security management in an organization.
Objective
Appsec Process
1. Injection
Injection flaws, such as SQL injection, LDAP injection, and CRLF injection, occur when an attacker sends
untrusted data to an interpreter that is executed as a command without proper authorization. Application
security testing can easily detect injection flaws. Developers should use parameterized queries when
coding to prevent injection flaws.
Incorrectly configured user and session authentication could allow attackers to compromise passwords,
keys, or session tokens, or take control of users’ accounts to assume their identities. Multi-factor
authentication, such as FIDO or dedicated apps, reduces the risk of compromised accounts.
6. Security Misconfiguration
This risk refers to improper implementation of controls intended to keep application data safe, such as
misconfiguration of security headers, error messages containing sensitive information (information
leakage), and not patching or upgrading systems, frameworks, and components.Dynamic application
security testing (DAST) can detect misconfigurations, such as leaky APIs.
7. Cross-Site Scripting
Cross-site scripting (XSS) flaws give attackers the capability to inject client-side scripts into the
application, for example, to redirect users to malicious websites.* Developer training complements
security testing to help programmers prevent cross-site scripting with best coding best practices, such as
encoding data and input validation.
8. Insecure deserialization
Insecure deserialization flaws can enable an attacker to execute code in the application remotely, tamper
or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges. * Application
security tools can detect deserialization flaws but penetration testing is frequently needed to validate the
problem.
4. DELIVERABLES
A detailed report after completion of the assessment will highlight the weaknesses in the system that
affects the availability, reliability and integrity of information assets. It will also provide the solutions for
covering each identified risk.
The report will contain the following:
Details all the vulnerabilities found in the server applications. This will cover Vulnerability
Description, Proof of Concept and the remedial measures.
Assess the mechanisms for protecting the confidentiality of sensitive information and possible
gap for their compromise both internally and externally.
Recommendations for overcoming the weaknesses and solutions for strengthening security.
In order to optimize the effectiveness, the customer needs to provide access to systems, services,
and employees. To perform the work specified in this statement of work, Alpha group will require the
following from the customer:
5. COMMERCIAL
Price
S. No Service Description
(in INR)