Transcription
Statement of Compliance forCWE/SANS Top 25 Software ErrorsPersonal and Confidential
SANS Top 25 Software ErrorsAbstractEventTracker is a powerful and dynamic Security Information Event Management (SIEM) and event logmanagement solution that processes hundreds of millions of discrete log messages to distill and deliver themost vital and actionable data to your organization. EventTracker provides a 360 degree view of the entire ITinfrastructure, offering real-time alerting and reporting. EventTracker allows organizations to maintaincontinuous compliance, improve the IT security posture, and increase operational uptime.EventTracker architecture mainly comprises of two components, Web and Engine. EventTracker and itscomponents rely on Operating System, IIS webserver and SQL database for its functional requirements.With the increase in data management, it is important to safeguard EventTracker application and its prerequisites against various known security threats.The CWE/SANS Top 25 Most Dangerous Software Errors is the result of collaboration between the SANS Institute, MITRE,and many top software security experts in the US and Europe. It leverages experiences in the development of the SANSTop 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE)(http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of HomelandSecurity's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along withauthoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programmingerrors, design errors, and architecture errors that can lead to exploitable vulnerabilities.As part of the development phase, EventTracker incorporates this list. This document is a statement of compliance withthe list.References*MSLOGO erver/hh833799*OWASP Guidelineshttps://www.owasp.org/index.php/Main Page*SANS Top 25 Most Dangerous Software Errorshttp://www.sans.org/top25-software-errors/1
SANS Top 25 Software ErrorsSANS Top 25 Software Errors – EventTracker Security StatementCWE IDDescription of the VulnerabilitySupported FeaturesSupported.CWE-89Improper Neutralization of SpecialElements used in an SQL Command('SQL Injection')EventTracker satisfies OWASP*guidelines and is well behaved in this situation.Please refer the link mentioned below for OWASPguidelinesCWE-78Improper Neutralization of SpecialElements used in an OS Command('OS Command Injection')CWE-79Improper Neutralization of InputDuring Web Page Generation('Cross-site Scripting')CWE-434Unrestricted Upload of File withDangerous TypeSupported.EventTracker satisfies OWASPguidelines and is well behaved in this situation.Supported.EventTracker satisfies OWASPguidelines and is securely coded against XSS attack.Not ApplicableEventTracker does not support this featureSupported.CWE-352Cross-Site Request Forgery (CSRF)CWE-601URL Redirection to Untrusted Site('Open Redirect')EventTracker satisfies OWASP guidelines and is wellbehaved in this situation.Not ApplicableEventTracker does not support this featureSupported.CWE-120Buffer Copy without Checking Sizeof Input ('Classic Buffer Overflow')EventTracker satisfies OWASPguidelines and is well behaved in this situation.Supported.CWE-222Improper Limitation of a Pathnameto a Restricted Directory ('PathTraversal')EventTracker satisfies OWASPguidelines and allows access after verifying forproper authorization
SANS Top 25 Software ErrorsCWE IDDescription of the VulnerabilityCWE-494Download of Code Without IntegrityCheckCWE-829Inclusion of Functionality fromUntrusted Control SphereSupported FeaturesNot ApplicableEventTracker does not support this featureNot ApplicableEventTracker does not support this featureContinuous security process been adoptedCWE-676Use of Potentially DangerousFunctionEventTracker adheres to MSLOGO* guidelines andwas handled this vulnerability as a part of it. Also itis maintained as a part of Security Development LifeCycle process.Please refer the link for MSLOGO guidelines.Continuous security process been adoptedCWE-131Incorrect Calculation of Buffer SizeEventTracker adheres to MSLOGO* guidelines andwas handled this vulnerability as a part of it. Also itis maintained as a part of Security Development LifeCycle process.Please refer the link for MSLOGO guidelines.Continuous security process been adoptedCWE-134Uncontrolled Format StringEventTracker adheres to MSLOGO* guidelines andwas handled this vulnerability as a part of it. Also itis maintained as a part of Security Development LifeCycle process.Please refer the link for MSLOGO guidelines.Continuous security process been adoptedCWE-190Integer Overflow or WraparoundEventTracker adheres to MSLOGO* guidelines andwas handled this vulnerability as a part of it. Also itis maintained as a part of Security Development LifeCycle process.Please refer the link for MSLOGO guidelines.3
SANS Top 25 Software ErrorsCWE IDDescription of the VulnerabilitySupported FeaturesSupported.CWE-306Missing Authentication for CriticalFunctionEventTracker satisfies OWASPguidelines and is well behaved in this situation.Supported.CWE-862Missing AuthorizationEventTracker satisfies OWASPguidelines and it authorizes the resources andoperations in a secured way.Supported.CWE-798Use of Hard-coded Credentialsshould be avoided.EventTracker will not hard-code any credentials.Supported.CWE-311Missing Encryption of Sensitive Datashould be handled properlyCWE-807Reliance on Untrusted Inputs in aSecurity Decision should be takencare properlyCWE-250Execution with UnnecessaryPrivilegesEventTracker satisfies OWASPguidelines and does not expose any sensitive data.Supported.EventTracker satisfies OWASPguidelines. EventTracker sessions and cookies aresecurely handled.Supported.EventTracker satisfies OWASPguidelines and is well behaved in this situation.Supported.CWE-863Incorrect AuthorizationCWE-732Incorrect Permission Assignment forCritical ResourceEventTracker satisfies OWASPguidelines and allows access after verifying forproper authorization.Supported.4EventTracker satisfies OWASPguidelines and is well behaved in this situation.
SANS Top 25 Software ErrorsCWE IDDescription of the VulnerabilityCWE-327Use of a Broken or RiskyCryptographic AlgorithmSupported FeaturesSupported.EventTracker uses FIPS compliant certificates.Not ApplicableCWE-307Improper Restriction of ExcessiveAuthentication AttemptsCWE-759Use of a One-Way Hash without aSalt5EventTracker depends on Windows Authenticationwhich can be either Active Directory or local hostbasedNot ApplicableEventTracker does not support this algorithm
SANS Top 25 Software Errors SANS Top 25 Software Errors - EventTracker Security Statement CWE ID Description of the Vulnerability Supported Features CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Supported. EventTracker satisfies OWASP* guidelines and is well behaved in this situation.
