RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
Project

A contractor has been identified to protect the portal of public services in the Moscow region. Its first step is to search for "holes"

Customers: GKU MO CIB MO - Information Security Center of the Moscow Region

Krasnogorsk; Information security

Contractors: Compliance Soft


Project date: 2023/11  - 2023/12

Content

2023

A contractor has been identified to protect the portal of public services in the Moscow region. Its first step is to search for "holes"

In December 2023, a competition was completed to organize the protection of the portal of public services of the Moscow Region - the winner was Compliance Soft, which has been engaged in information security integration since 2015. She began to fulfill the requirements of the tender documentation, where, in particular, there is a requirement for an open competition to find vulnerabilities, which is similar in description to bug bounty.

As part of the implementation of the requirements of[1] on the Standoff 365 platform, the contractor opened a short-term testing program for the portal of the Moscow Region, which will be valid until December 29. The maximum reward for detecting a critical vulnerability will be 150 thousand rubles. Citizens of Russia over 18 years old who are registered on the Standoff 365 platform can take part in the program - currently 8 thousand security researchers are registered in the project.

The main parameters of the bug bounty program for the portal of public services of the Moscow region

It should be noted that the bug bounty program is quite effective for constantly checking the security of resources. However, if some web portal is immediately opened for universal testing, then the amount paid for vulnerabilities can be quite large. Therefore, usually the bug bounty program should at least complete the implementation of DevSecOps, conduct pentests, form a Red Team, which will test the company's information resources using the most modern technologies. When these procedures are done, open testing for vulnerabilities can already be launched. However, Positive Technologies, which also includes the Standoff 365 platform, considers it different.

File:Aquote1.png
I believe that you can go to bug bounty even with a low level of preparedness, - said Yulia Voronova, director of consulting at the competence center Positive Technologies. "It is only necessary to correctly formulate what we pay for. If we understand our unacceptable events and realize what is really critical for us, then we pay not for any "breaking," not for any vulnerability, but for knowledge about the chain that will lead to the implementation of a specific unacceptable event. In this case, we minimize the cost of minor and non-business-critical vulnerabilities. But to say that I am not yet ready to be told about how my company can die, in principle, will not be very correct. Such knowledge must be obtained as early as possible.
File:Aquote2.png

Actually, that is why the vulnerability search program on the Moscow Region portal has a strict time limit - until December 29, that is, a little more than two weeks, and prices even for critical vulnerabilities are quite low - 150 thousand rubles. For comparison, in the Mail.ru service testing program, the critical vulnerability is estimated at 3.6 million rubles. However, even with such a limited vulnerability testing program, a lot of critical vulnerabilities can be found, and the cost of payments can be large. So in a similar testing program of the Leningrad Region[2], which is now taking place on the BI.Zone Bug Bounty platform, three critical vulnerabilities have already been discovered and 765 thousand rubles have been paid.

The portal of public services of the Moscow region was launched in 2012, and now it provides access to more than 300 electronic services. It is visited by about 4 million people a month, with more than 77% of them confirming their credentials. It is clear that the protection of such a quantity of personal and sensitive information is very important for the region, and for the state as a whole, since the portal of the Moscow region is a model for the Regional Management Centers (SDGs), which are now installed in many other regions and regions of Russia.

Moscow region introduces progressive information security practices: DevSecOps, cyber training and bug bounty

in Information Security Center of the Moscow Region mid-November, he announced a tender for the introduction of a secure development technology DevSecOps for his state information system "Portal of State and Municipal Services (Functions) of the Moscow Region"[3]The project also involves the provision of services for organizing cyber training, conducting a program to search for vulnerabilities and assess the level of security of information resources in the Moscow region. An integral part of it is the renewal for a year of the license for the Webmonitorex 850M system, which provides control API and protects against attacks using it.

It is planned to spend about 50 million rubles on solving all five problems. The submission of applications for the competition ends on November 28.

According to the technical documentation of the tender, a CI/CD conveyor has already been built in the Moscow Region, which is typical for the DevOps methodology. And if, as required in the terms of reference, you also embed static and dynamic code analysis methods, dependency control and vulnerability management tools, components for analyzing containers, mobile applications and built-in authentication data, and then train no more than 30 employees to use all these tools, then you get a full-fledged DevSecOps, although there is no specific term in the terms of reference. However, there is no reference to GOST R 56939-2016 for secure development in it either.

Government complex of the Moscow region (photo Mixyfotos)

An equally interesting section relates to the cyber training program, the purpose of which is to increase the readiness of specialists to prevent, respond to and eliminate the consequences of computer attacks on information resources. The plans together with the contractor to develop at least a dozen scenarios for checking all the necessary protection components. When planning and conducting them, it is necessary to follow the PTES and NIST SP800-115 methods, which relate to penetration tests (pentests). Their implementation is expected within 60 days. In fact, this is a pentest to check the operation of the security tools for the customer's web resources, its servers and workstations, as well as network infrastructure.

The vulnerability search program involves the publication through the executor's platform of rules for searching for vulnerabilities in customer-specified systems, both in private and open modes, as well as payment for their detection. The Contractor may also recommend correcting the vulnerabilities and then checking their closure. This is a commercial vulnerability search format commonly called bug bounty.

In general, the introduction of DevSecOps followed by a pentest, and then bug bounty, is the main way to work with vulnerabilities in public web applications, which provides a resource and security assessment, and build a security system that can quickly eliminate detected vulnerabilities, both recently appeared and present in the system for a long time.

This technique was tested on banks, marketplaces and in e-commerce, and now it has already begun to be implemented on government resources. True, the introduction of the DevSecOps methodology, which is the basis of this practice, is not available to everyone.

File:Aquote1.png
The distribution of DevSecOps depends on the executor of the project: the specialists themselves are rare and expensive, "Vyacheslav Kasimov, director of the information security department of the ICD, explained to TAdviser a small distribution in the state projects of safe web development practice. - In addition, not all companies have an understanding of why they need it at all. But if we are talking about large developers who later do the implementation of the project, then they can afford the implementation of DevSecOps.
File:Aquote2.png

Such a project will allow the CIB MO to make the portal of the Moscow Region quite protected and ensure its development without losing security. And since it is a model for regional management centers (SDGs), it is possible that similar programs will be held throughout the country.

As a result of the tender, the company Complains Soft LLC became the winner of two applicants on November 29.

Notes

  1. the competition Portal of Public Services of the Moscow Region
  2. , the Vulnerability Awareness Program of the Leningrad Region
  3. Provision of services for conducting cyber training, introducing a secure development process, organizing and maintaining a program for finding vulnerabilities and certificates for assessing the level of security.
Источник — «https://tadviser.com/index.php/Project:Moscow_region_introduces_progressive_information_security_practices:_DevSecOps,_cyber_training_and_bug_bounty»

Шестерня

The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article

If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible.

How to create a "smart plant": Key characteristics of a modern digital enterprise
Model Studio CS: How to use BIM to give new impetus to the development of the fuel and energy complex