FEDRAMP CSP Penetration Test Guidance
FEDRAMP CSP Penetration Test Guidance
FEDRAMP CSP Penetration Test Guidance
PENETRATION TEST
GUIDANCE
Version 2.0
November 24, 2017
| i
SECTION CONTENTS
Section 1 Document Scope
Section 2 Definitions and Assumptions
Section 3 Attack Vectors
Section 4 Scoping The Penetration Test
Section 5 Penetration Test Methodology and Requirements
Section 6 Reporting
Section 7 Test Schedule Requirements
Section 8 3PAO Staffing Requirements
Appendix B References
Appendix C Rules of Engagement/Test Plan
HOW TO CONTACT US
Questions about FedRAMP or this document should be directed to info@fedramp.gov.
For more information about FedRAMP, visit the website at http://www.fedramp.gov.
| ii
TABLE OF CONTENTS
DOCUMENT REVISION HISTORY .......................................................................................................... I
1. SCOPE ........................................................................................................................................ 1
2. DEFINITIONS & THREATS ............................................................................................................ 2
2.1. DEFINITIONS ................................................................................................................................ 2
2.2. THREAT MODELS .......................................................................................................................... 3
2.3. THREAT MODELING ...................................................................................................................... 4
3. ATTACK VECTORS ....................................................................................................................... 5
3.1. EXTERNAL TO CORPORATE – EXTERNAL UNTRUSTED TO INTERNAL UNTRUSTED .......................... 6
3.2. EXTERNAL TO TARGET SYSTEM – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED ........................ 7
3.3. TARGET SYSTEM TO CSP MANAGEMENT SYSTEM – EXTERNAL TRUSTED TO INTERNAL TRUSTED . 8
3.4. TENANT TO TENANT – EXTERNAL TRUSTED TO EXTERNAL TRUSTED ............................................. 9
3.5. CORPORATE TO CSP MANAGEMENT SYSTEM – INTERNAL UNTRUSTED TO INTERNAL TRUSTED .. 10
3.6. MOBILE APPLICATION – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED .................................... 11
4. SCOPING THE PENETRATION TEST ............................................................................................ 11
5. PENETRATION TEST METHODOLOGY AND REQUIREMENTS ...................................................... 12
5.1. INFORMATION GATHERING & DISCOVERY .................................................................................. 13
5.2. WEB APPLICATION/API TESTING INFORMATION GATHERING/DISCOVERY .................................. 14
5.3. MOBILE APPLICATION INFORMATION GATHERING/DISCOVERY ................................................. 14
5.4. NETWORK INFORMATION GATHERING/DISCOVERY .................................................................... 15
5.5. SOCIAL ENGINEERING INFORMATION GATHERING/DISCOVERY .................................................. 16
5.6. SIMULATED INTERNAL ATTACK INFORMATION GATHERING/DISCOVERY .................................... 16
5.7. EXPLOITATION ........................................................................................................................... 16
5.7.1. WEB APPLICATION/API EXPLOITATION .................................................................................. 17
5.7.2. MOBILE APPLICATION EXPLOITATION .................................................................................... 17
5.7.3. NETWORK EXPLOITATION ...................................................................................................... 17
5.7.4. SOCIAL ENGINEERING EXPLOITATION .................................................................................... 18
5.7.5. SIMULATED INTERNAL ATTACK EXPLOITATION ...................................................................... 18
5.8. POST-EXPLOITATION .................................................................................................................. 19
5.8.1. WEB APPLICATION/API POST-EXPLOITATION ......................................................................... 20
5.8.2. MOBILE APPLICATION POST-EXPLOITATION .......................................................................... 20
5.8.3. NETWORK POST-EXPLOITATION ............................................................................................. 20
5.8.4. SOCIAL ENGINEERING POST-EXPLOITATION .......................................................................... 21
5.8.5. SIMULATED INTERNAL ATTACK POST-EXPLOITATION ............................................................ 21
6. REPORTING .............................................................................................................................. 21
| iii
LIST OF FIGURES
Figure 1. Sample Target System ......................................................................................................................................... 6
Figure 2. External to Corporate Attack Vector ................................................................................................................... 7
Figure 3. External to Target System Attack Vector ............................................................................................................ 8
Figure 4. Target System to CSP Management System ....................................................................................................... 9
Figure 5. Tenant to Tenant Attack Vector ........................................................................................................................ 10
Figure 6. Corporate to CSP Management System Attack Vector ..................................................................................... 11
| iv
LIST OF TABLES
Table 1 – Document Section Table .................................................................................................................................... ii
Table 2 – Cloud Service Classification ................................................................................................................................ 1
Table 3 – Types of Attacks ................................................................................................................................................. 5
Table 4 – Attack Vector Summary ...................................................................................................................................... 5
Table 5 – Discovery Activities ........................................................................................................................................... 14
Table 6 – Mobile Application Information Gathering/Discovery ..................................................................................... 15
Table 7 – Network Information Gathering/Discovery ...................................................................................................... 15
Table 8 – Social Engineering Information Gathering/Discovery ...................................................................................... 16
Table 9 – Simulated Internal Attack Gathering/Discovery ............................................................................................... 16
Table 10 – Web Application/API Exploitation .................................................................................................................. 17
Table 11 – Mobile Application Exploitation ..................................................................................................................... 17
Table 12 – Network Exploitation ...................................................................................................................................... 18
Table 13 – Social Engineer Exploitation ........................................................................................................................... 18
Table 14 – Simulated Internal Attack Exploitation ........................................................................................................... 19
Table 15 – Post-Exploitation ............................................................................................................................................ 19
Table 16 – Web Application/API Post-Exploitation .......................................................................................................... 20
Table 17 – Network Post-Exploitation ............................................................................................................................. 20
Table 18 – 3PAO Staffing Requirements .......................................................................................................................... 23
| v
1. SCOPE
The Federal Risk and Authorization Management Program (FedRAMP) requires that Penetration
Testing be conducted in compliance with the following guidance:
§ NIST SP 800-115 Technical Guide to Information Security Testing and Assessment,
September 2008
§ NIST SP 800-145 The NIST Definition of Cloud Computing, September 2011
§ NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and
Organizations, Revision 4, April 2013, with updates as of January 2015
§ NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and
Organizations: Building Effective Assessment Plans, Revision 4, December 2014
FedRAMP also requires that CSP products and solutions (cloud service) undergoing a FedRAMP
assessment and Penetration Test must be classified as a SaaS, PaaS, or IaaS. In some scenarios, it may
be appropriate to apply multiple designations to a cloud service. Table 2 below shows the definitions of
these three service types.
CLOUD SERVICE
NIST DESCRIPTION
MODEL
The capability provided to the consumer is to use the provider’s applications running on a
cloud infrastructure. The applications are accessible from various client devices through
either a thin-client interface, such as a web browser (e.g., web-based email), or a program
Software as a Service
interface. The consumer does not manage or control the underlying cloud infrastructure
(SaaS)
including network, servers, operating systems, storage, or even individual application
capabilities, with the possible exception of limited user-specific application configuration
settings.
The capability provided to the consumer is to deploy onto the cloud infrastructure
consumer-created or acquired applications created using programming languages,
Platform as a Service libraries, services, and tools supported by the provider. The consumer does not manage or
(PaaS) control the underlying cloud infrastructure including network, servers, operating systems,
or storage, but has control over the deployed applications and possibly configuration
settings for the application- hosting environment.
The capability provided to the consumer is to provision processing, storage, networks, and
other fundamental computing resources where the consumer is able to deploy and run
Infrastructure as a arbitrary software, which can include operating systems and applications. The consumer
Service (IaaS) does not manage or control the underlying cloud infrastructure, but has control over
operating systems, storage, and deployed applications; and possibly limited control of
select networking components (e.g., host firewalls).
| 1
All components, associated services, and access paths (internal/external) within the defined test
boundary of the CSP system must be scoped and assessed. The Rules of Engagement (ROE) must
identify and define the appropriate testing method(s) and techniques associated with exploitation of
the relevant devices and/or services.
Penetration Testing may require:
§ Negotiation and agreement with third parties such as Internet Service Providers (ISP),
Managed Security Service Providers (MSSP), facility leaseholders, hosting services, and/or
other organizations involved in, or affected by, the test. In such scenarios, the CSP is
responsible for coordination and obtaining approvals from third parties prior to the
commencement of testing.
§ To limit impact on business operations, the complete or partial testing may be conducted in
a non-production environment as long as it is identical to the production environment and
has been validated by the 3PAO. For instance, if a CSP has two identical locations, a
Penetration Test on one location may suffice. In this case, the environments must be exactly
the same, not almost, nearly, or virtually.
§ When the cloud system has multiple tenants, the CSP must build a temporary tenant
environment if another tenant environment suitable for testing does not exist.
The Penetration Test plan must include actual testing of all the attack vectors described in Section 3
below or explain why a particular vector was not applicable. The Independent Assessors (IA) may
include additional attack vectors they believe are appropriate. See Appendix C: ROE/Test Plan Template
for more information regarding test plans.
2.1. DEFINITIONS
The following is a list of definitions for this document.
§ Corporate – Internal CSP network access outside the authorization boundary.
§ Insider Threat – A threat that is posed by an employee or a third party acting on behalf of
the CSP.
§ Management System – A backend application or infrastructure setup that facilitates
administrative access to the cloud service. The Management System is accessible only by
CSP personnel.
| 2
§ Roles – Access levels and privileges of a user.
§ System – The cloud service that is offered to government customers.
§ Target – The application or cloud service that will be evaluated during the
Penetration Test.
§ Tenant – A customer instance of the cloud service.
| 3
2.3. THREAT MODELING
The IA must ensure the Penetration Test is appropriate for the size and complexity of the cloud system
and takes into account the most critical security risks. The IA must perform the Penetration Test in
accordance with industry best practices and standards. Typical goals for Penetration Testing include:
§ Gaining access to sensitive information
§ Circumventing access controls and privilege escalation
§ Exploiting vulnerabilities to gain access to systems or information
§ Confirming that remediated items are no longer a risk
The IA should test all or a sufficient sample of access points and locations (for physical Penetration
Testing). When the IA tests a sample, the IA must describe how and why the sample was selected, and
why it is sufficient.
The IA should attempt to exploit vulnerabilities and weaknesses throughout the cloud system
environment, including physical Penetration Testing. At a minimum, the IA should verify security doors
are locked, security alarms work, and security guards are present and alert as required by the CSP
organization’s security policies and procedures. These situations must be identified during scoping
sessions and accounted for accordingly in the Rules of Engagement/Test Plan (ROE/TP).
The types of attacks must be repeatable and present a consistent representation of threats, threat
capabilities, and organization-specific threat qualifications. In addition, the types of attacks must
address the goals of the Penetration Test and include both internal and external attacks.
§ Internal – Employees or users who are employed by the CSP, including both privileged and
non-privileged users, in the context of the target system.
§ External – Users and non-users of the system who are not employed by the CSP. This
includes government users of the application, as well as third parties who do not have
access rights to the target system.
§ Trusted – Users with approved access rights to the target system. Trusted users include
both internal CSP employees with management access to the system, as well as external
users with credentialed access to the tenant environment.
§ Untrusted – Non-users of the target system. Untrusted users include both internal CSP
employees who lack credentialed access to the target system, as well as any individual
attempting to access the target system from the Internet.
See Table 3 below for the relationships between Trusted/Untrusted and Internal/External attacks.
| 4
Table 3 – Types of Attacks
INTERNAL EXTERNAL
CSP employee responsible for setup, maintenance, Any user of the target system, regardless of
Trusted
or administrative access to the CSP target system. assigned roles or access rights.
Any individual, without authorized credentials,
An employee of the CSP without direct access to
Untrusted attempting to access the target system from the
the target system.
Internet.
3. ATTACK VECTORS
Attack vectors can be defined as potential avenues of compromise which may lead to a degradation of
system integrity, confidentiality, or availability. FedRAMP has identified and developed several risk
scenarios for the 3PAO organization to review and address during Penetration Testing. Table 4 below
lists the identified attack vectors, which are detailed in the sections below.
TITLE DESCRIPTION
External to Corporate –
An internet-based attack attempting to gain useful information about or access the target
External Untrusted to
cloud system through an external corporate network owned and operated by the CSP.
Internal Untrusted
External to Target
System – External An internet-based attack as an un-credentialed third party attempting to gain unauthorized
Untrusted to External access to the target system.
Trusted
Target System to CSP
Management System – An external attack as a credentialed system user attempting to access the CSP
External Trusted to management system or infrastructure.
Internal Trusted
Tenant to Tenant – An external attack as a credentialed system user, originating from a tenant environment
External Trusted to instance, attempting to access or compromise a secondary tenant instance within the
External Trusted target system.
Corporate to CSP
An internal attack attempting to access the target management system from a system with
Management System –
an identified or simulated security weakness on the CSP corporate network that mimics a
Internal Untrusted to
malicious device.
Internal Trusted
Mobile Application –
An attack that emulates a mobile application user attempting to access the CSP target
External Untrusted to
system or the CSP’s target system’s mobile application.
External Trusted
| 5
Figure 1 below illustrates a sample target cloud system to give context to the attack vectors illustrated
in Figures 2 through 6 below. Each attack vector has been paired with its relevant threat model as a
general guide for designing test cases. Note that physical attack vectors are not included in the attack
vector descriptions below and a specific cloud service may differ from the represented system. The
3PAO must demonstrate how the Penetration Test will address these attack vectors.
| 6
employees who are directly responsible for the target system will need to be included in this attack
vector. See Section 5.5 Social Engineering, for information about this attack vector.
| 7
Figure 3. External to Target System Attack Vector
| 8
Figure 4. Target System to CSP Management System
| 9
Figure 5. Tenant to Tenant Attack Vector
| 10
Figure 6. Corporate to CSP Management System Attack Vector
| 11
Penetration Test scoping discussions, individual system components will be reviewed and deemed as
“in-scope” or “out-of-scope” for the Penetration Test. The aggregate of the agreed upon and
authorized in-scope components will comprise the system boundary for the Penetration Test.
When scoping the system boundaries for the assessment, it is important to consider the legal
ramifications of performing Penetration Testing activities on third-party environments. All testing
activities must be limited to the in-scope test boundary for the system to ensure adherence to all
agreements and limitation of legal liability. Penetration Testing should not be performed on assets for
which permission has not been explicitly documented. Obtaining permission for any third-party assets
that are required to be in-scope is the responsibility of the CSP.
Service models intending to use FedRAMP-compliant services lower in the “cloud stack” can leverage
the FedRAMP compliance and security features of those services. As a result, attack vectors already
addressed by other FedRAMP-compliant services lower in the “cloud stack” are not required to be re-
evaluated. For example: If a PaaS and SaaS leverage another layer that is FedRAMP compliant, then
Penetration Testing of the lower layer is not required. However, the CSP must determine the
authorization system boundaries and provide justification for any controls they intend to claim as
inherited from the supporting service. If the PaaS and/or SaaS are including FedRAMP-compliant
security features for the lower layers, then Penetration Testing of the lower layers is required and the
CSP needs to obtain all the authorizations required for the 3PAO to perform Penetration Testing for
the lower layers.
The methodology has been organized according to common assessment steps followed by industry-
practiced frameworks. The required level of effort regarding the appropriate Penetration Testing
methodology will be determined by the 3PAO based on the technologies in the in-scope test boundary,
regardless of how the CSP has self-identified the cloud service (SaaS, PaaS, or IaaS). For example: If
| 12
operating system/host-level access is offered by a CSP in a cloud service in which the CSP self-identifies
as a SaaS or PaaS cloud service, network Penetration Testing requirements will still apply.
| 13
5.2. WEB APPLICATION/API TESTING INFORMATION
GATHERING/DISCOVERY
For API testing, sample workflows and test cases should be provided by the CSP to serve as a basic
interface for common use cases of the application’s functionality. The following activities in Table 5 below
must be completed.
ACTVITY DESCRIPTION
Perform internet
Identify any publicly available documentation that can be leveraged to gain insight into
searches to identify any
potential attack vectors of the target web application. Determine if any publicly available
publicly available
vulnerability has been disclosed, which could potentially be leveraged to attack the target
information on the
web application.
target web application
Identify all layers of the application including application servers, databases, middleware,
Identify the target
and other technologies to determine communication flow and patterns within the
application architecture
application.
Identify account roles
and authorization Identify the roles associated with the cloud service and determine access limitations.
bounds
Create a sitemap detailing all levels of functionality within the web application. Please
Map all content and
note: different account roles may have different access levels to functionality within the
functionality
target web application.
Identify all user-
controlled input entry Map all areas of the application that take input from the user of the application.
points
Perform web
Perform web vulnerability scanning activity to determine if common web server
application server
configuration flaws are present that could lead to an access path.
configuration checks
| 14
Table 6 – Mobile Application Information Gathering/Discovery
ACTVITY DESCRIPTION
Perform internet
Identify any publicly available documentation that can be leveraged to gain insight into
searches to identify any
potential attack vectors of the target mobile application. Determine if any publicly
publicly available
available vulnerability has been disclosed, which could potentially be leveraged to attack
information on the
the target mobile application.
target web application
Map all content and
Navigate through the application to determine functionality and workflow.
functionality
Identify all permission
Inventory the permissions that the mobile application requests from the phone. Determine
sets requested by the
if there are any differences across mobile platforms.
application
ACTVITY DESCRIPTION
Conduct an analysis of the public profile of the target system including information
Perform Open Source
disseminated about public Internet Protocol (IP) ranges, technologies implemented within
Intelligence (OSINT)
the target network or organization, and details around previous public attacks against the
Gathering Activities
target system.
Enumerate and
Inventory Live Network Conduct a scan to identify active network endpoints on the network environment.
Endpoints
Enumerate and
Inventory Network Conduct an inventory of network services to identify potential attack vectors.
Service Availability
Fingerprint Operating
Determine service types and versions numbers.
Systems and Network
Perform Vulnerability
Conduct network scanning activity to identify publicly available vulnerabilities.
Identification
| 15
5.5. SOCIAL ENGINEERING INFORMATION
GATHERING/DISCOVERY
Conduct external information gathering and discovery activities against CSP employees and system
administrators for the system to be tested. The following activities in Table 8 below must be completed.
ACTVITY DESCRIPTION
Perform internet Inventory publicly available information that details CSP personnel roles and
searches to identify CSP responsibilities for the target system.
personnel of interest Note: The CSP must approve a final list of system administrators to target for a spear
responsible for target phishing exercise.
system management.
ACTVITY DESCRIPTION
Perform a scoping
exercise with the CSP Identify valid attack chains assuming an internal CSP user was compromised by a social
to determine potential engineering attack.
attack vectors.
Perform Vulnerability Conduct credentialed network scanning activity to identify publicly available vulnerabilities
Identification and privilege escalation vectors.
5.7. EXPLOITATION
During exploitation, the 3PAO Penetration Testing team will attempt to leverage attack vectors
identified during information gathering and discovery to gain initial access into the target system,
based on the attack vector being tested. Several attack vectors are outlined below.
| 16
5.7.1. WEB APPLICATION/API EXPLOITATION
Conduct web application exploitation activities against target web applications/APIs. The following
activities in Table 10 below must be completed.
ACTVITY DESCRIPTION
Authentication and Assess the application to determine how the target application creates and maintains a
Session Management session state. Analyze account creation and management process.
Identify issues related to role privilege enforcement across common customer roles in the
Authorization
cloud service. Attempt to bypass authorization restrictions.
Attempt to circumvent controls to prevent bypass on intended logic patterns and
Application Logic
application flows.
Perform injection attacks against all data inputs to determine if information or files can be
Input Validation
inserted or extracted from the target application. Attempt to alter the backend.
ACTVITY DESCRIPTION
Identify issues related to role privilege enforcement across common customer roles in the
Authorization
cloud service. Attempt to bypass authorization restrictions.
Identify and inventory data being stored on the device. Determine if encryption is being
Data Storage
utilized outside of platform level controls.
Information Disclosure Identify what information is being disclosed in log files and local cache stores.
| 17
retrieved. Specific requirements are not given in this section, as the nature of the exploitation will be
highly differentiated by the identified service or endpoint vulnerabilities; instead, general guidelines for
performing exploitation attacks are provided. The following activities in Table 12 below must be
completed.
ACTVITY DESCRIPTION
Present identified attack scenarios to the CSP for approval of execution. Note that if the
Attack Scenarios CSP does not approve a potential exploitation path, this must be documented in the
Penetration Test report.
Perform exploitation activity with the intent of gaining access to the target systems and
Exploitation elevating privileges, if possible. If unsuccessful, attempt to adapt the exploitation approach
to work against the target environment.
If exploitation attack scenarios were successful, document the results. If exploitation attack
Record Results scenarios were unsuccessful, document why the exploit failed and what protections (if any)
prevented the exploit from executing.
ACTVITY DESCRIPTION
Identify issues related to role privilege enforcement across common customer roles in the
Authorization
cloud service. Attempt to bypass authorization restrictions.
| 18
An assumption is made that if escalation and pivoting vectors are identified, the target system would
eventually be compromised. Although the corporate asset is outside the system boundary, the results
of the simulated internal attack will be documented in the Penetration Test report for remediation by
the CSP. Utilizing this methodology simulates an internal attack without conducting Penetration
Testing activities of the corporate CSP network environment. The following activities in Table 14 below
must be completed.
ACTVITY DESCRIPTION
Attempt to gain administrative privileges on the CSP standard workstation image. If the
Escalate to
CSP provisions users as local system administrators by default, testing should still be
Administrative
conducted to determine the likelihood of a successful pivot to additional workstations or
Privileges
servers in the CSP environment.
If exploitation attack scenarios were successful, document the results. If exploitation attack
Recording Results scenarios were unsuccessful, document why the exploit failed and what protections (if any)
prevented the exploit from executing.
5.8. POST-EXPLOITATION
During post-exploitation, the 3PAO Penetration Testing team will attempt to exercise vulnerabilities
discovered during exploitation. The 3APO Penetration Testing team will conduct post-exploitation
activities with the intent of demonstrating the impact of exploitation by laterally moving to additional
endpoints with the intent to compromise sensitive CSP data, information, or control of the target
system infrastructure. Post-exploitation activities will be determined by the level of access gained by
exploitation and the technologies utilized by the system. They should broadly cover the activities listed
below. The following activities in Table 15 must be completed.
Table 15 – Post-Exploitation
ACTVITY DESCRIPTION
Attempt to gain administrative privileges on the CSP standard workstation image. If the
Escalate to
CSP provisions users as local system administrators by default, testing should still be
Administrative
conducted to determine the likelihood of a successful pivot to additional workstations or
Privileges
servers in the CSP environment.
If exploitation attack scenarios were successful, document the results. If exploitation attack
Recording Results scenarios were unsuccessful, document why the exploit failed and what protections (if any)
prevented the exploit from executing.
| 19
5.8.1. WEB APPLICATION/API POST-EXPLOITATION
Conduct web application post-exploitation activities against target web applications/APIs. The
following activities in Table 16 must be completed.
ACTVITY DESCRIPTION
Unauthorized Use access to application to attempt to gain control of underlying infrastructure or
Management Access management systems.
Unauthorized Data Attempt to demonstrate the potential to access additional data from sources outside the
Access cloud service’s intended scope.
This attack vector is not applicable since the Penetration Test will be assessing only the local
application on the test platform. The device on which the mobile application resides is considered
out of scope for the Penetration Test.
Conduct network post-exploitation activities against the target infrastructure to attempt to access
management networks, applications, and other customer instances. The following activities in
Table 17 below must be completed.
ACTVITY DESCRIPTION
Gain Situational Determine what level of access was gained following a successful exploitation attempt.
Awareness
Privilege Escalation If applicable, attempt to escalate privileges to allow for additional access on the exploited
endpoint or other endpoints within the network environment.
Lateral Movement Perform further discovery and enumeration to identify hosts on the network that may
respond only to the compromised system. Leverage compromised systems and credentials
to pivot to additional hosts with the intent of gaining unauthorized access to management
systems or other customer systems.
Identification and Identify sensitive or critical information that may be accessed or compromised through a
Exfiltration of Sensitive successful attack (criteria for sensitive data to be determined during the scoping phase).
Systems or Data Attempt to exfiltrate sensitive information undetected.
| 20
5.8.4. SOCIAL ENGINEERING POST-EXPLOITATION
Conduct network post-exploitation activities against the target infrastructure to attempt to access
management networks, applications, and other customer instances. The following activities in
Table 16 below must be completed.
This attack vector is not applicable. The CSP will assume corporate breach; eventually leading to
management access into the CSP target system given the 3PAO is able to identify privilege
escalation and pivoting avenues and attack chains.
6. REPORTING
Penetration Test assessment activities and results must be organized and compiled into a
comprehensive Penetration Test report to be included in the Security Assessment Report (SAR). The
report is required to address the following sections.
| 21
6.4. ACTUAL TESTS PERFORMED AND RESULTS
Document the actual tests performed to address the Penetration Test requirements outlined in this
document, and document the results of each test.
| 22
lead on each Penetration Test must be approved by the Assessment Organization and either have an
industry-recognized credential for Penetration Testing or equivalent education and experience.
Industry-recognized credentials are identified in Table 18 below.
ACTVITY DESCRIPTION
Global Information GWAPT - GIAC Web Application Penetration Tester
Assurance Certification GPEN - GIAC Network Penetration Tester
(GIAC) GXPN - GIAC Exploit Researcher and Advanced Penetration Tester
Offensive Security OSCP - Offensive Security Certified Professional
OSCE - Offensive Security Certified Expert
International Council of CEH - Certified Ethical Hacker
Electronic Commerce LPT - Licensed Penetration Tester
Consultants (EC-
Council)
| 23
| 24
APPENDIX B: REFERENCES
The publications referenced in this document are available at the following URLs:
§ https://www.fedramp.gov/resources/documents-2016/
§ https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx
§ http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
§ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
§ http://dx.doi.org/10.6028/NIST.SP.800-53Ar4
§ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
§ https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
§ https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_
Testing
§ http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
§ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
§ https://azure.microsoft.com/blog/2014/11/11/red-teaming-using-cutting-edge-threat-
simulation-to-harden-the-microsoft-enterprise-cloud/
| 25
Penetration Test planning must include or account for the following considerations:
§ Penetration
- Network penetration
- Wireless network penetration
- Physical penetration
- Social engineering penetration
§ Affected IP ranges and domains
§ Acceptable social engineering pretexts
§ Targeted organization’s capabilities and technologies
§ Investigative tools
§ Specific testing periods (start and end date/times)
§ CSP reporting requirements (format, content, media,encryption)
The Penetration Test Plan must describe:
§ Target locations
§ Categories of information such as open source intelligence, human intelligence
§ Type of information such as physical, relationship, logical, electronic, metadata
§ Gathering techniques such as active, passive, on- and off-location
§ Pervasiveness
§ Constraints that do not exploit business relationships (customer, supplier, joint venture, or
teaming partners)
The 3PAO must justify omitting any attack vectors described in Section 3 above in the ROE/Test Plan
and the Penetration Test Report.
| 26
SYSTEM SCOPE
Provide a description of the boundaries and scope of the cloud service system, along with any
identified supporting services or systems. System scope should account for all IP addresses, Uniform
Resource Identifiers (URLs), devices, components, software, and hardware.
TESTING SCHEDULE
Provide a schedule that describes testing phases, initiation/completion dates, and allows for tracking of
Penetration Test deliverables.
TESTING METHODOLOGY
The methodology section will address relevant Penetration Testing activities as described in Section 5
above.
RELEVANT PERSONNEL
Provide a list of key personnel involved in the management and execution of the Penetration Test. The
list should include, at a minimum:
§ System Owner (CSP)
§ Trusted Agent (CSP)
§ Penetration Test Team Lead (3PAO)
§ Penetration Test Team Member(s) (3PAO)
§ Escalation Points of Contact (CSP and 3PAO)
| 27
INCIDENT RESPONSE PROCEDURES
Provide a description of the chain of communications and procedures to be followed should an event
requiring incident response intervention be initiated during Penetration Testing.
| 28