"A Symantec penetration test is designed to provide insight into methods of attack against a target and present a reasonable example of what an attacker might accomplish.

During the course of a penetration test, Symantec atempts to bypass security controls through a variety of techniques.

SQL injection
Command injection
Cross-site scripting (XSS)
Cross-site reource forgery (CSRF)
Insecure cryptographic algorithms
Information leakage
Improper error handling
Missing patches
Weak passwords
Vendor default settings

During the initial penetration test, Symantec observed that the ES520 was reasonably hardened and did not expose extraneous services, which helped to minimize the available attack surface.

Following the initial test, Fortress undertook a thorough effort to fully remediate the reported vulnerabilities, and subsequently asked Symantec to perform re-tests of the ES520 and its new operating software during 2008 and 2009. During re-test exercises, Fortress continued to work with Symantec in order to insure that all identified vulnerabilities were remediated. Following the final re-test in June 2009, Symantec found that all previously identified vulnerabilities were remediated. Following the final re-test in June 2009, Symantec found that all previously identified vulnerabilities in the ES520 had been remediated.

Areas Targeted During the Assessment

Fortress engaged Symantec to examine the security mechanisms associated within each of the following areas:

External communications
System and application configuration
Application protocols
Account and password credentials
Authentication and authorization control mechanisms
Session management
Data validation
Error handling
Business logic
Encryption ciphers

Test Methodologies Employed

The following testing methods were employed to evaluate the security posture of the Fortress Technologies ES520 against industry best practices.

Active probing and scanning
Manual probing
Evaluation of host hardening practices
Evaluation of application security

Conclusion

Through conducting this cycle of penetration testing, remediation, and re-testing, Fortress Technologies has demonstrated its commitment towards insuring that the ES520 can be safely deployed in highly secure government, military, and commercial environments. It was notable that Fortress committed significant time and effort to insure that it had remediated all identified vulnerabilities, including those that Symantec rated as having a low business impact instead of simply accepting the minimal risk posed by those vulnerabilities.

Fortress chose to perform this testing as a voluntary measure to supplement, and in certain areas enhance, its compliance with the Federal Information Processing (FIPS) 140-2 standard, which provides security requirements for cryptographic modules."

Site map | Disclaimer