PROPOSAL

FOR

SECURITY SERVICES

SUBMITTED TO

ALPHA GROUP OF INSTITUTIONS

SUBMITTED BY

MUTHUKUMAR M

ISO 27001 LA, CEH, LPT

JUN 2020
 Security Proposal Confidential

STATEMENT OF CONFIDENTIALITY

I, Muthukumar M submits the enclosed information to Alpha Group of Institutions for the purpose of
evaluation of services offered. The information contained in this document, in its entirety, is considered
both confidential and proprietary and may not be copied or disclosed to any other party without prior
written consent . This document is not intended to create a binding agreement between the parties; such
an agreement shall be reflected only by a definitive contract, signed and delivered.

Proposal – VAPT Confidential

 Security Proposal Confidential

Muthukumar’s Competency

Muthukumar M ECSA, CEH, ISO 27K LA, ITIL V@3, CCSA certified information security
professional with 12+ years of experience in Vulnerability Assessment (management) and Penetration
Testing (VA/PT), Security Operations and Engineering(SOC, NOC) , Security Testing , ISO 27001 Audit,
ITSM Audits , PCI DSS Compliance , BCP & DRP , Risk Management and Compliance.

An ISO 27001 Information Security Management LA certified professional with an overall experience in
both Information Security and IT service Management.

IT professional with extensive experience in the engineering, architecture, administration and support of
information security systems. In-depth expertise in the implementation, analysis, optimization,
troubleshoot and documentation of various security products and policies.

Track record for diagnosing complex problems and delivering effective solution. Areas of expertise
include Global consulting, project management and delivery.

A dynamic result-oriented leader with expertise in devising & managing internal controls aimed at
enhancing overall Information security, organizational compliance posture and policies and process
improvements & excellence

Hands on experience in Vulnerability Assessment and Penetration Testing, mobile application testing,
SOC, ITSM audits, ISO 27K Implementation and PCI DSS

Proposal – VAPT Confidential

 Security Proposal Confidential

CONTENTS

1.ABOUT ALPHA GROUP OF INSTITUTIONS ............................................................................................... 5

2.SCOPE OF WORK .......................................................................................................................................... 5

3.ACTIVITIES…………………….. ...................................................................................................................... 5

3.METHODOLOGY ............................................................................................................................................. 6

4.DELIVERABLES .............................................................................................................................................. 9

4.1 SECURITY ASSESSMENT REPORT ......................................................................................................... 9

4.2 PENETRATION TESTING REPORT .......................................................................................................... 9

4.3 CUSTOMER ASSISTANCE REQUIRED .................................................................................................. 10

5.COMMERCIAL ............................................................................................................................................... 10

Proposal – VAPT Confidential

 Security Proposal Confidential

1. ABOUT ALPHA GROUP OF INSTITUTIONS

Alpha Group of Institutions has scripted success stories and has created new benchmarks in the field of
education. Over the last 50 years, millions of students have passed out of the portals of the Group’s
institutions and have done the school and the country proud by having successful careers. Many are
serving in various Civil Services like IAS, IFS, IRS etc and several hold key positions in top corporates.
Under the aegis of Alpha Educational Society, the Alpha Group presently runs seven educational
institutions offering State, National and International curricula at its various centres.

The institutions are professionally managed under the committed supervision of the Group’s Chairperson,
Dr. Mrs. Grace George and Vice Chairperson, Mrs. Suja George. The Alpha schools offer CBSE
curriculum at CIT Nagar and Porur. International Cambridge curriculum along with CBSE is offered at our
Sembakkam campus. We also offer the Matriculation Higher Secondary School Certificate (Std XII) at
Sembakkam and CIT Nagar.

2. SCOPE OF WORK

Sonata understands that the customer wants to conduct an Application Security Assessment of their
webaite

https://www.alphagroup.edu/

3. Activities

S.No Activity Description

Phase 1

1  Discuss with the Alpha group team for necessary permissions

Initial setup
and access privileges to conduct the Appsec testing

2 Perform Security Penetration Testing

testing https://www.alphagroup.edu/

3 Reporting and  Detailed report on the vulnerabilities identified

Recommendations  Gap analysis and patching recommendations

Proposal – VAPT Confidential

 Security Proposal Confidential

3. METHODOLOGY

The Remote Penetration testing will be performed in accordance with the following leading International
security standards:

 The Open Source Security Testing Methodology (OSSTM) provides a standardized approach to a
thorough information security testing. It sets forth a set of rules and guidelines for effective
penetration testing, vulnerability assessments and information security analysis, including the use
of open source testing tools for the standardization of security testing and the improvement of
automated vulnerability testing tools.
 ISO 27000-1 for security process audit. This standard defines a set of accepted guidelines for
developing enterprise level security controls. It forms a basis for instituting best practices for
information security management in an organization.

Objective

 To gain a complete understanding of threats and vulnerabilities in your environment.

 To secure the environment by filling the gaps.

Proposal – VAPT Confidential

 Security Proposal Confidential

Appsec Process

1. Injection
Injection flaws, such as SQL injection, LDAP injection, and CRLF injection, occur when an attacker sends
untrusted data to an interpreter that is executed as a command without proper authorization. Application
security testing can easily detect injection flaws. Developers should use parameterized queries when
coding to prevent injection flaws.

2. Broken Authentication and Session Management

Proposal – VAPT Confidential

 Security Proposal Confidential

Incorrectly configured user and session authentication could allow attackers to compromise passwords,
keys, or session tokens, or take control of users’ accounts to assume their identities. Multi-factor
authentication, such as FIDO or dedicated apps, reduces the risk of compromised accounts.

3. Sensitive Data Exposure

Applications and APIs that don’t properly protect sensitive data such as financial data, usernames and
passwords, or health information, could enable attackers to access such information to commit fraud or
steal identities. * Encryption of data at rest and in transit can help you comply with data protection
regulations.

4. XML External Entity

Poorly configured XML processors evaluate external entity references within XML documents. Attackers
can use external entities for attacks including remote code execution, and to disclose internal files and
SMB file shares.Static application security testing (SAST) can discover this issue by inspecting
dependencies and configuration.

5. Broken Access Control

Improperly configured or missing restrictions on authenticated users allow them to access unauthorized
functionality or data, such as accessing other users’ accounts, viewing sensitive documents, and
modifying data and access rights. * Penetration testing is essential for detecting non-functional access
controls; other testing methods only detect where access controls are missing.

6. Security Misconfiguration
This risk refers to improper implementation of controls intended to keep application data safe, such as
misconfiguration of security headers, error messages containing sensitive information (information
leakage), and not patching or upgrading systems, frameworks, and components.Dynamic application
security testing (DAST) can detect misconfigurations, such as leaky APIs.

7. Cross-Site Scripting
Cross-site scripting (XSS) flaws give attackers the capability to inject client-side scripts into the
application, for example, to redirect users to malicious websites.* Developer training complements
security testing to help programmers prevent cross-site scripting with best coding best practices, such as
encoding data and input validation.

Proposal – VAPT Confidential

 Security Proposal Confidential

8. Insecure deserialization
Insecure deserialization flaws can enable an attacker to execute code in the application remotely, tamper
or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges. * Application
security tools can detect deserialization flaws but penetration testing is frequently needed to validate the
problem.

9. Using Components With Known Vulnerabilities

Developers frequently don’t know which open source and third-party components are in their applications,
making it difficult to update components when new vulnerabilities are discovered. Attackers can exploit an
insecure component to take over the server or steal sensitive data. * Software composition
analysis conducted at the same time as static analysis can identify insecure versions of components.

10. Insufficient Logging and Monitoring

The time to detect a breach is frequently measured in weeks or months. Insufficient logging and
ineffective integration with security incident response systems allow attackers to pivot to other systems
and maintain persistent threats.

4. DELIVERABLES

4.1 Security Assessment report

A detailed report after completion of the assessment will highlight the weaknesses in the system that
affects the availability, reliability and integrity of information assets. It will also provide the solutions for
covering each identified risk.
The report will contain the following:

 Details all the vulnerabilities found in the server applications. This will cover Vulnerability
Description, Proof of Concept and the remedial measures.
 Assess the mechanisms for protecting the confidentiality of sensitive information and possible
gap for their compromise both internally and externally.
 Recommendations for overcoming the weaknesses and solutions for strengthening security.

4.2 Penetration Testing Report

This report will contain the following:

 Categorization of vulnerabilities based on risk level

 Details of security vulnerabilities/loopholes.

Proposal – VAPT Confidential

 Security Proposal Confidential

 Emergency quick-fix solution for discovered vulnerabilities

 Long-term solution for discovered vulnerabilities

4.3 Customer Assistance Required

In order to optimize the effectiveness, the customer needs to provide access to systems, services,
and employees. To perform the work specified in this statement of work, Alpha group will require the
following from the customer:

 Access to relevant personnel

 A primary point of contact
 Availability of Customer’s infrastructure personnel for escalating any issues during the security
testing
 NDA or others as needed

5. COMMERCIAL

Commercials for the scope of services outlined in this proposal.

Price
S. No Service Description
(in INR)

1. Application security testing for https://www.alphagroup.edu/ 50000

Total Price 50000

Proposal – VAPT Confidential