FASA 4: PENGUJIAN SISTEM
METODOLOGI PENGUJIAN Metodologi pengujian adalah pendekatan sistematik untuk menguji perisian atau sistem yang sedang dibangunkan. Ia melibatkan perancangan skop pengujian, penyediaan data ujian, pelaksanaan skrip ujian, pemantauan kecacatan, dan penilaian kualiti untuk memastikan kebolehpercayaan, prestasi, dan keselamatan sistem yang diuji.
Aktiviti-aktiviti yang dilaksanakan di dalam fasa pengujian adalah berkaitan dengan penyediaan pelan ujian dan dokumentasi berkaitan ujian, serta pelaksanaan pengujian penerimaan oleh pengguna ke atas sistem. Pengujian yang dimaksudkan adalah Ujian Penerimaan Pengguna (UAT) dan Ujian Penerimaan Sementara (PAT). Ujian ini dilaksanakan sebagai validasi ke atas sistem aplikasi yang dibangunkan berdasarkan keperluan pengguna dan keperluan sistem bagi memastikan keperluan tersebut dipenuhi sebelum sistem aplikasi dilaksanakan. RUJUKAN PROSES & PENGUNAAN METHOD SERAHAN Spesifikasi Keperluan Sistem Spesifikasi Reka Bentuk Sistem Spesifikasi Integrasi Sistem Laporan Ujian Sistem Pelan Induk Pengujian Dokumentasi Perseduaan Ujian Pelan UAT/PAT Laporan UAT/PAT Penyediaan Pelan Induk Pengujian Penyediaan Dokumentasi Persediaan Ujian Ujian Penerimaan Pengguna (UAT) Penyediaan Pelan Ujian Penerimaan UAT/PAT Ujian Penerimaan Provisional (PAT) Penyediaan Pelan Ujian Penerimaan UAT/PAT Pengujian penerimaan sistem aplikasi merupakan penentu keyakinan bahawa sistem yang dibangunkan telah memenuhi keperluan bisnes dan keperluan pengguna yang ditetapkan. Pengujian juga bertujuan untuk memastikan bahawa fungsian sistem yang dibangunkan sedia digunakan. Sebarang kesilapan yang ditemui perlu ditambahbaik, diperbaiki dan diuji semula. 01 Pengujian
D03 Spesifikasi Keperluan Sistem. D04 Spesifikasi Reka bentuk Sistem. D08 Spesifikasi Integrasi Sistem. D11 Laporan Ujian Sistem. D12 Pelan Induk Pengujian (Master Test Plan). D13 Pelan Ujian Penerimaan Pengguna (UAT)/Ujian Penerimaan Pengguna Provisional (PAT). D14 Laporan Ujian Penerimaan (UAT & PAT) Spesifikasi Keperluan Bisnes, Spesifikasi Keperluan Sistem dan Spesifikasi Reka bentuk Sistem yang didokumenkan adalah lengkap dan telah dipersetujui oleh pengguna. Ujian sistem (ujian unit/ komponen, ujian sub-sistem/ modul dan ujian integrasi sistem) telah dijalankan dengan sempurna. Sistem bebas daripada ralat dengan tahap severity tinggi yang boleh menggagalkan fungsi utamanya. Pengurus / Ketua Ujian berpengalaman serta berkelayakan dalam merancang dan mengendalikan ujian. Persediaan terperinci bagi ujian penerimaan seperti jadual pelaksanaan ujian, undangan penguji serta kesediaan persekitaran pengujian. Komitmen daripada semua peringkat pemegang taruh diperlukan semasa pengujian dilaksanakan. Pengujian hendaklah dirancang dengan teliti berdasarkan tempoh, kos dan keperluan sumber yang disediakan agar sistem yang dibangunkan mencapai tahap kualiti yang ditetapkan. Hasil keputusan ujian yang diperolehi melalui pelaksanaan pengujian yang teratur dan pematuhan kepada amalan terbaik akan menjadi pertimbangan bagi pemegang taruh dalam memutuskan pelaksanaan sistem. Pengujian akan dilaksanakan dengan melibatkan pengguna sistem termasuk SME, pemilik proses dan pengguna akhir. Ekspektasi pengguna terhadap sistem akan dinilai melalui 2 aktiviti utama iaitu: Ujian Penerimaan Pengguna (UAT) Ianya menilai dari aspek fungsian Ujian Penerimaan Provisional (PAT) Ianya menilai dari aspek fungsian dan bukan fungsian Dokumen rujukan untuk Fasa Pengujian Penerimaan adalah seperti berikut: 1. 2. 3. 4. Dokumen serahan untuk Fasa Pengujian Penerimaan adalah seperti berikut: 1. 2. 3. Untuk memastikan aktiviti dalam fasa pengujian berjaya dilaksanakan, faktor-faktor yang perlu diberi perhatian sebelum dan semasa aktiviti pengujian dilaksanakan adalah seperti berikut: 1. 2. 3. 4. 5. Selain daripada faktor di atas, penggunaan tools yang bersesuaian di dalam pengurusan, pelaksanaan dan kawalan pengujian juga memberi nilai tambah di dalam kejayaan pengujian. Pengujian penerimaan sistem aplikasi merupakan penentu keyakinan bahawa sistem yang dibangunkan telah memenuhi keperluan bisnes dan keperluan pengguna yang ditetapkan. Pengujian juga bertujuan untuk memastikan bahawa fungsian sistem yang dibangunkan sedia digunakan. Sebarang kesilapan yang ditemui perlu ditambahbaik, diperbaiki dan diuji semula. Pengujian Sistem
05 Pelaksanaan Aktiviti utama di dalam fasa pelaksanaan adalah melaksanakan aktiviti ke arah persediaan pelaksanaan sistem. Aktiviti-aktiviti yang dilaksana di dalam fasa ini adalah migrasi data, ujian penerimaan akhir, persediaan manual pengguna dan laporan serahan sistem. Pelaksanaan Migrasi Data Ujian Penerimaan Akhir Penyediaan Manual Pengguna Serahan Sistem Aplikasi Tujuan pelaksanaan sistem adalah untuk memastikan sistem yang dibangunkan dapat berfungsi dengan lancar mengikut spesifikasi yang telah di minta oleh pengguna. Fasa pelaksanaan merupakan fasa yang melibatkan aktiviti-aktiviti peralihan daripada sistem yang lama kepada sistem yang baru. Ia akan melibatkan perubahan dari cara kerja manual kepada cara baru yang berasaskan kepada sistem berkomputer. Proses peralihan boleh dilaksanakan ke atas sistem semasa dengan membuat penambahbaikan mengikut keperluan yang baru. Semasa fasa pelaksanaan, isuisu yang melibatkan bisnes, teknikal dan orang awam hendaklah dikenalpasti dan diambil tindakan. Aktiviti-aktiviti dalam Fasa Pelaksanaan adalah: 1. 2. 3. 4. RUJUKAN PROSES & PENGUNAAN METHOD SERAHAN Pelan Pembangunan Sistem Pelan Migrasi Data Laporan PAT Sistem Aplikasi Laporan Migrasi Data Laporan Penamatan Ujian (FAT) Manual Penggunaan Laporan Serahan Sistem Pelaksanaan Migrasi Data Ujian Penerimaan Akhir (FAT) Serahan Sistem Aplikasi Penyediaan Manual Pengguna
FASA 5: SECURITY POSTURE ASSESMENT (SPA)
© 2021 Nexagate Sdn Bhd. All Rights Reserved. CON Tender Perkhidmatan Penyelenggaraan Perisian, Aplikasi dan Perkakasan Sistem Electronic Trade Union Information System (e-TUIS) Jabatan Hal Ehwal Kesatuan Sekerja (JHEKS) Malaysia A Proposal for Jabatan Hal Ehwal Kesatuan Sekerja (JHEKS)
NFIDENTIAL
CONTENT 01 Introduction 02 Executive 03 Approac 3.1 Propos 3.2 Pre-A 3.3 Ass 3.4 Po 3.5 05 0
Summary ch & Methodology sed Scope of Work Assessment Phase sessment Phase ost Assessment Phase Security Testing Tools 5 Project Management 06 Nominated Consultants 07 Maintenance & Support 08 Why Choose Us? 09 Project Reference
Introduction Company Background © 2021 Nexagate Sdn Bhd. All Right Reserved. 01
Risk & Compl Establish & Imp Security Proce Project Secured 300+ Client Base 250+ Excellence in end to end Cyber Security solution Establish 201 10 years an stro Critical projects secured & delivered Singapore Indonesia Malaysia Laos Meet Nexagate Your Trusted Cybersecurity Partner Philippines © 2021 Nexagate Sdn Bhd. All Rights Reserved.
iance prove sses Audit & Testing Assess & Test against Cyber Threats Managed Protection Defend & Protect Against Cyber Threats ed Since 10 nd growing ng Manpower 45+ Members and growing Global Certification ISO/IEC 27001 CREST
Leadership Team Khairil Effendy Managing Director MSc Comm Eng (Manchester, UK) CCNP/A, CCDP/A, JNCIA, ITIL, CCRSSS Tuan Faisal Azmy Chief Marketing Officer M. Sc Business Information Technology (Manchester, UK) Khairul Naim Deputy Managing Director & Chief Security & Strategy BEng Computer Eng (MMU) CISSP, GIAC HTQ, JNCIA, ITIL ISMS/ISO27001 Certified Lead Auditor Nur Chief Hum BMM (hons) Ma Multim Great Leaders Make Great Teams © 2021 Nexagate Sdn Bhd. All Rights Reserved.
Chief Security & Risk Consulting Benyazwar Mohmd MSc Comm Eng (Manchester, UK) ISMS/ISO27001 Certified Lead Auditor Norzakimi Zahari Chief Technology Officer BSC Computer Science (UTM) CISSP, PMP, ISMS/ISO27001 Certified Lead Auditor r Aisyah an Capital Officer Media Innovation and anagement, media University Ahmad Tarmizi Chief Product Officer BMM (Hons) Interface Design Multimedia University Chief of Managed Security Suziyanti Shahrudin BEng Computer Eng (MMU) ISMS/ISO27001 Certified Lead Auditor
Credentials and Certifications Industry Recognitions © 2021 Nexagate Sdn Bhd. All Rights Reserved. MSC Status Company in Global Business Services MSC Status Co Certified Information Security Management System (ISMS) ISO 27001 since 2012. Certified ISMS / ISO27001 Featured by Frost & Sullivan Cyb Featured by Frost & S Among only 5 loca by CSM for Pene Listed as Top 25 Cyber Security Technology Companies in Asia Pacific by APAC CIO Outlook for 2017
n the field of s since 2013 ompany ber Security Case Studies for our industry-leading Managed Web Security Services Sullivan al companies that have been certified etration Testing Service Providers Recognised by an international accreditation organisation in providing penetration testing Certified CREST in Penetration Testing Top 3 local companies that have won in the inaugural Cyber100 Competition
Credentials and Certifications Industry Recognitions © 2021 Nexagate Sdn Bhd. All Rights Reserved.
Banks/FSI Various Government Major Clients Who Trust Our Services Major Clients Telco/SP © 2021 Nexagate Sdn Bhd. All Rights Reserved.
Approach & Met 3.1 Proposed Scope of W © 2021 Nexagate Sdn Bhd. All Rights Reserved. 03
thodology Work
© 2021 Nexagate Sdn Bhd. All Rights Reserved. SPA as a Requirement SPA for Compliance On 17th November 2009, MAMPU issued a general circula Garis Panduan Penilaian Tahap Keselamatan Rangkaian Da assessing the state of security of network and ICT systems is that it is the responsibility of each departmental head to e least once a year within the department. Also, should a thir party must be capable and qualified with proper credentials ISO/IEC 27001. The Security Posture Assessment has also been known to Control of Technical Vulnerabilities under the ISO/IEC 27 standard. It is very crucial that the current network infrastr and recommended countermeasures are to be impleme confidentiality, integrity and availability of information system By performing a Security Posture Assessment, an org requirements of an Information Security Management System
ar named “Surat Pekeliling Am Bilangan 3 Tahun 2009 - an Sistem ICT Sektor Awam” which provides guidelines on of the public sector. Among the contents of this document ensure that a Security Posture Assessment is performed at rd party be appointed to perform the assessment, the third s such as those which are certified by the ISMS standard o be a method of complying with security controls 12.6.1 7001 Information Security Management Systems, ISMS ucture and systems is assessed, vulnerabilities identified, nted in order to mitigate the risks of compromise the ms. anization is already complying with one of the major m.
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Proposed Scope of Work In summary, we are proposing the following scope of work, which are detailed Phase: No Scope of Works 1 External Penetration Testing Ascertain the state of security of ta 2 Internal Penetration Testing Address residual weaknesses 3 Web Application Penetration Testing Ascertain susceptibility of web funct 4 Host Assessment (Operating System) Ascertain how robust th 5 Host Assessment (Network/Security Devices) Perform review o Scope of Work
d in Section 3.3 Assessment Phase and Section 3.4 Post-Assessment Objectives arget network in resisting a frontal attack from the Internet or other untrusted network s by identifying internal access points and insecure hosts. b applications to unauthorized attempts via tweaking of its tionality and programming logic he systems are to a direct frontal break-in attempt. f security configurations of network devices.
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Proposed Scope of Work In summary, we are proposing the following scope of work, which are detailed Phase: No Scope of Works 6 Host Assessment (Database) Ascertain how robust th 7 Application Load/Stress Test (Application Performance Assessment) Provide a strategic assessme responsiveness, throughput, reliab also meant to help establish the pe Scope of Work
d in Section 3.3 Assessment Phase and Section 3.4 Post-Assessment Objectives he systems are to a direct frontal break-in attempt. ent to evaluate the overall level of application and system bility and scalability under a various given workload level. It is erformance acceptance criteria for application service delivery.
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Approach & Methodology Proposed Scope of Work In summary, we are proposing the following scope of work, which a 3.4 Post-Assessment Phase: ➢ External Penetration Testing ➢ Web Application Penetration Testing ➢ Source Code Review ➢ Application Load/Stress Test (Application Performance A ➢ Analysis & Reporting ➢ Knowledge Transfer ➢ Hardening Workshop ➢ Post Review
are detailed in Section 3.3 Assessment Phase and Section Assessment)
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Approach & Methodology 3-Phase Approach The applied methodologies and standards used in our security as • Institute for Security and Open Methodologies (ISECOM) - Ope • National Institute of Standards and Technology (NIST) • ISO/IEC 27002 Information Technology – Code of Practice for • The Open Applications Security Project (OWASP) – OWASP A PRE-ASSESSMENT ASSESS • Project Planning & Initiation • Confirmation of SoW • Information Gathering • External Pen • Internal Pen • Web Applica Testing • Host Assess System) • Host Assess (Network/Se • Host Assess • Application L (Application Assessment
ssessments are in compliance to the following best practices: en-Source Security Testing Methodology Manual (OSSTMM) Information Security Management Application Penetration Checklist SMENT POST-ASSESSMENT netration Testing netration Testing ation Penetration sment (Operating sment ecurity Devices) sment (Database) Load/Stress Test Performance t) • Findings Consolidation • Develop Reports • Executive Presentations • Knowledge Transfer and Trainings • Hardening Workshop • Post Review
Approach & Met 3.2 Pre-Assessment Phas © 2021 Nexagate Sdn Bhd. All Rights Reserved. 03
thodology se
Pre-Assessment Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. This phase comprises of the following activities: Project Kick-off Meeting This involves meeting with JHEKS to introduce the team and to and to align expectation to the Statement of Work. The agenda Organizational Chart, Roles and Responsibilities, Change Man this meeting, the Statement of Work (aka Project Charter) will and our Project Manager. Technical Design/Info Gathering Discussion/Workshop This activity uses the Solution Specification / Test Plan Docu workshops where the solution or test approach is elaborated to security policy, current network diagrams, password policies, b our team to move into the next phase. The result of this ac documents, by which the project’s delivery will be implemented
o establish an understanding on how the project will be delivered a may include sharing of the Project Objective Statement, Project nagement, and an overview of the Statement of Work. Further to be finalized and formalized between JHEKS‘s Project Manager ument. The project team engages the customer in meetings or o a level of greater detail. The information gathered (e.g.: current business continuity plans, incident response plans etc) will assist ctivity may come in form of solution specification or test plan d against.
Pre-Assessment Approach & Methodology Sample of Request for Information (RFI) document used to collect
t technical information:
Approach & Met 3.3 Assessment Phase © 2021 Nexagate Sdn Bhd. All Rights Reserved. 03
thodology
Network Penetration Test Approach & Methodology EXTERNAL PE OBJECTIVES Ascertain the state of security of target network in resisting a fronta KEY ACTIVITIES Performed from outside the target network such as from the public 4 steps methodology: 1. Network Surveying 2. Port scanning 3. Vulnerability Scanning & Service identification 4. Verification & Exploitation EXPECTED RESULTS List of hosts vulnerable to external attacks, together with their list o © 2021 Nexagate Sdn Bhd. All Rights Reserved.
NETRATION TEST al attack from the Internet or other untrusted network. cloud, Wide Area Network (WAN) and branches/site offices, based on of vulnerabilities.
Network Penetration Test Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved.
Network Penetration Test Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. INTERNAL PEN OBJECTIVES Address residual weaknesses by identifying internal access points KEY ACTIVITIES A penetration is performed within the same Local Area Network (LA steps methodology: 1. Network Surveying 2. Port scanning 3. Vulnerability Scanning & Service identification 4. Verification & Exploitation We will also attempt to acquire the application’s username and pas EXPECTED RESULTS List of vulnerable hosts together with the list of vulnerabilities identi
NETRATION TEST and insecure hosts. AN) or from internal trusted nodes of the target network, based on 4 ssword during this assessment. ified.
Network Penetration Test Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved.