1 Verifying that the deployment process is functionally correct
2 Making sure that the secure deployment documentation is correct and provides best security practices.
3 Validating the permissions and rights required for the different servers and user roles, business users, visitors, editors, publishers, and administrators. This includes:
Secure ACLs on configuration files, registry keys, temporary files, named pipes, murexes and all other securable objects.
Correct configuration of database roles, stored procedures, and service/application accounts
Looking for components running by default when they shouldn’t be
Investigating network ports. Verify IDL files for correctness.
Sensitive data is not exposed in logs, event viewer, remote error messages, traces, and registry keys
Ensure failures are graceful, default system state is access denied (instead of all access) and no critical information is leaked out to client/remote caller.
4 Verify the lockdown templates/settings representing common “server roles” that the product is used in
5 Verifying that the least privilege principle is followed.
6 Verify that the separation of privilege principle is followed.
Vinay Jagtap
A hard core Technocrat with over a decade of extensive experience in heading complex test projects coupled with real time experience of project management and thought leadership. Extensive experience in Performance, Security and Automation Testing and development of automation frameworks and ability to setup and execute Global service centers and Center of Excellences for testing.
