Vulnerability ScansRemote Support 16.1

© 2016 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC:9/23/2016

About Vulnerability ScanningTo ensure the security and value of our product, Bomgar incorporates vulnerability scanning in our software testing process. Weeagerly commit to addressing, with the utmost urgency, security vulnerabilities as they are detected by industry securityprofessionals.

We track the results of vulnerability scans performed prior to a software release and prioritize resolution based on severity andcriticality of any issues uncovered. Should a critical or high-risk vulnerability surface after a software release, a subsequentmaintenance version release addresses the vulnerability. Updated maintenance versions are distributed to our customers via theupdate manager interface within the Bomgar administrative interface. Where necessary, Bomgar Technical Support will contactcustomers directly, describing special procedures to follow to obtain an updated maintenance version.

Our customers can rely on our commitment to address security issues at our earliest opportunity.

Note: The contents of this document comprise the latest scan results from IBM Security AppScan. All scans were performedagainst an installation of Bomgar 16.1.

CONTACT BOMGAR                                        info@bomgar.com          |          866.205.3650 (US)          |          +44 (0) 1628 480 210 (UK/EMEA) BOMGAR.COM 3© 2016 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property of their respective owners. TC: 9/23/2016

VULNERABILITY SCANS REMOTE SUPPORT 16.1

Web Application Report

Thisreportincludesimportantsecurityinformationaboutyourwebapplication.

OWASP Top 10 2013 ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.1iFix001,Rules:1999Scanstarted:6/3/20161:18:37PM

Regulations

OWASP Top Ten 2013 – The Ten Most Critical WebApplication Security Risks

SummaryDescription

ThegoaloftheTop10projectistoraiseawarenessaboutapplicationsecuritybyidentifyingsomeofthemostcriticalrisksfacingorganizations.Developmentprojectsshouldaddressthesepotentialrisksintheirrequirementsdocumentsanddesign,buildandtesttheirapplicationstoensurethattheyhavetakenthenecessarymeasurestoreducetheseriskstotheminimum.Projectmanagersshouldincludetimeandbudgetforapplicationsecurityactivitiesincludingdevelopertraining,applicationsecuritypolicydevelopment,securitymechanismdesignanddevelopment,penetrationtesting,andsecuritycodereviewaspartovertheoverallefforttoaddresstherisks.

TheprimaryaimoftheOWASPTop10istoeducatedevelopers,designers,architects,managers,andorganizationsabouttheconsequencesofthemostimportantwebapplicationsecurityrisks.TheTop10providesbasicguidanceonhowtoaddressagainsttheserisksandwheretogotolearnmoreonhowtoaddressthem.

Althoughsetoutasaneducationpiece,ratherthanastandardoraregulation,itisimportanttonotethatseveralprominentindustryandgovernmentregulatorsarereferencingtheOWASPtopten.ThesebodiesincludeamongothersVISAUSA,MasterCardInternationalandtheAmericanFederalTradeCommission(FTC).

However,accordingtotheOWASPteamtheOWASPtoptenfirstandforemostaneducationpiece,notastandard.TheOWASPteamsuggeststhatanyorganizationabouttoadopttheTopTenpaperasapolicyorstandardtoconsultwiththeOWASPteamfirst.

TheOWASPTop10for2013broadensoneofthecategoriesfromthe2010versiontobemoreinclusiveofcommon,importantvulnerabilities,andreorderssomeoftheothersbasedonchangingprevalencedata.Italsobringscomponentsecurityintothespotlightbycreatingaspecificcategoryforthisrisk,pullingitoutoftheobscurityofthefineprintofthe2010riskA6:SecurityMisconfiguration.

ThisversionofOWASPTop10isbasedon8datasetsfrom7firmsthatspecializeinapplicationsecurity,including4consultingcompaniesand3tool/SaaSvendors(1static,1dynamic,and1withboth).Thisdataspansover500,000vulnerabilitiesacrosshundredsoforganizationsandthousandsofapplications.TheTop10itemsareselectedandprioritizedaccordingtothisprevalencedata,incombinationwithconsensusestimatesofexploitability,detectability,andimpactestimates.

CoveredEntities

Allcompaniesandotherentitiesthatdevelopanykindofwebapplicationcodeareencouragedtoaddressthetopten

6/12/2016 1

listaspartoftheiroverallsecurityriskmanagement.AdoptingtheOWASPTopTenisaneffectivefirststeptowardschangingthesoftwaredevelopmentculturewithintheorganizationintoonethatproducessecurecode.

FormoreinformationonOWASPTopTen,pleasereviewthe–OWASPTopTen2013–TheTenMostCriticalWebApplicationSecurityRisks,athttp://www.owasp.org

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.

Violated SectionIssuesdetectedacross0/10sectionsoftheregulation:

Sections Number of Issues

A1-Injection 0A2-Brokenauthenticationandsessionmanagement 0A3-Crosssitescripting(XSS) 0A4-Insecuredirectobjectreference 0A5-SecurityMisconfiguration 0A6-SensitiveDataExposure 0A7-MissingFunctionLevelAccessControl 0A8-Crosssiterequestforgery(CSRF) 0A9-UsingKnownVulnerableComponents 0A10-UnvalidatedRedirectsandForwards 0

Section Violation By Issue0Uniqueissuesdetectedacross0/10sectionsoftheregulation:

URL Entity Issue Type Sections

Detailed Security Issues by Sections

6/12/2016 2

A1-Injection 0

A2-Brokenauthenticationandsessionmanagement 0

A3-Crosssitescripting(XSS) 0

A4-Insecuredirectobjectreference 0

A5-SecurityMisconfiguration 0

A6-SensitiveDataExposure 0

A7-MissingFunctionLevelAccessControl 0

A8-Crosssiterequestforgery(CSRF) 0

A9-UsingKnownVulnerableComponents 0

6/12/2016 3

A10-UnvalidatedRedirectsandForwards 0

6/12/2016 4

Web Application Report

Thisreportincludesimportantsecurityinformationaboutyourwebapplication.

The Payment Card Industry Data Security Standard (PCI DSS)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.1iFix001,Rules:1999Scanstarted:6/3/20161:18:37PM

Regulations

The Payment Card Industry Data Security Standard (PCI)Version 3.1

Summary

ThePaymentCardIndustryDataSecurityStandard(PCIDSS)wasdevelopedtoencourageandenhancecardholderdatasecurityandfacilitatethebroadadoptionofconsistentdatasecuritymeasuresglobally.PCIDSSprovidesabaselineoftechnicalandoperationalrequirementsdesignedtoprotectaccountdata.

PCIDSScomprisesaminimumsetofrequirementsforprotectingcardholderdata,andmaybeenhancedbyadditionalcontrolsandpracticestofurthermitigaterisks,aswellaslocal,regionalandsectorlawsandregulations.Additionally,legislationorregulatoryrequirementsmayrequirespecificprotectionofpersonalinformationorotherdataelements(forexample,cardholdername).PCIDSSdoesnotsupersedelocalorregionallaws,governmentregulations,orotherlegalrequirements.

ThePCIDSSsecurityrequirementsapplytoallsystemcomponentsincludedinorconnectedtothecardholderdataenvironment.Thecardholderdataenvironment(CDE)iscomprisedofpeople,processesandtechnologiesthatstore,process,ortransmitcardholderdataorsensitiveauthenticationdata.

“Systemcomponents”includenetworkdevices,servers,computingdevices,andapplications.Examplesofsystemcomponentsincludebutarenotlimitedtothefollowing:Systemsthatprovidesecurityservices(forexample,authenticationservers),facilitatesegmentation(forexample,internalfirewalls),ormayimpactthesecurityof(forexample,nameresolutionorwebredirectionservers)theCDE.

Virtualizationcomponentssuchasvirtualmachines,virtualswitches/routers,virtualappliances,virtualapplications/desktops,andhypervisors.

Networkcomponentsincludingbutnotlimitedtofirewalls,switches,routers,wirelessaccesspoints,networkappliances,andothersecurityappliances.

Servertypesincludingbutnotlimitedtoweb,application,database,authentication,mail,proxy,NetworkTimeProtocol(NTP),andDomainNameSystem(DNS).

Applicationsincludingallpurchasedandcustomapplications,includinginternalandexternal(forexample,Internet)applications.AnyothercomponentordevicelocatedwithinorconnectedtotheCDE.

CoveredEntities

6/12/2016 1

PCIDSSappliestoallentitiesinvolvedinpaymentcardprocessing—includingmerchants,processors,acquirers,issuers,andserviceproviders,aswellasallotherentitiesthatstore,processortransmitcardholderdata(CHD)and/orsensitiveauthenticationdata(SAD).

PCIDSSrequirementsapplytoorganizationsandenvironmentswhereaccountdata(cardholderdataand/orsensitiveauthenticationdata)isstored,processedortransmitted.SomePCIDSSrequirementsmayalsobeapplicabletoorganizationsthathaveoutsourcedtheirpaymentoperationsormanagementoftheirCDE1.Additionally,organizationsthatoutsourcetheirCDEorpaymentoperationstothirdpartiesareresponsibleforensuringthattheaccountdataisprotectedbythethirdpartypertheapplicablePCIDSSrequirements.

CompliancePenalties

Ifamerchantorserviceproviderdoesnotcomplywiththesecurityrequirementsorfailstorectifyasecurityissue,thecardcompaniesmayfinetheacquiringmember,orimposerestrictionsonthemerchantoritsagent.

ComplianceRequiredBy

PCIDSSversion3.1hasreplacedPCIDSSv.2andiseffectiveasofJanuary1st2014.ThePCIDSSv.2maynotbeusedforPCIDSScomplianceafterDecember31,2014.

Regulators

ThePCISecurityStandardsCouncil,anditsfoundingmembersincludingAmericanExpress,DiscoverFinancialServices,JCB,MasterCardWorldwideandVisaInternational.

FormoreinformationonthePCIDataSecurityStandard,pleasevisit:

https://www.pcisecuritystandards.org./index.htm

Formoreinformationonsecuringwebapplications,pleasevisithttp://www-01.ibm.com/software/rational/offerings/websecurity/

Copyright:ThePCIinformationcontainedinthisreportisproprietarytoPCISecurityStandardsCouncil,LLC.AnyuseofthismaterialissubjecttothePCISECURITYSTANDARDSCOUNCIL,LLCLICENSEAGREEMENTthatcanbefoundat:

https://www.pcisecuritystandards.org./tech/download_the_pci_dss.htm

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.

6/12/2016 2

Violated SectionIssuesdetectedacross0/32sectionsoftheregulation:

SectionsNumberofIssues

Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters.

0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.)

0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem.

0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems.

0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orSSL/TLSforwebbasedmanagementandothernonconsoleadministrativeaccess.

0

Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata.

0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0Requirement4.1-Usestrongcryptographyandsecurityprotocols(forexampleTLS,IPSEC,SSH,etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:•Onlytrustedkeysandcertificatesareaccepted.•Theprotocolinuseonlysupportssecureversionsorconfigurations.•Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto:•TheInternet•Wirelesstechnologies,including802.11andBluetooth•Cellulartechnologies,forexample,GlobalSystemforMobilecommunications(GSM),Codedivisionmultipleaccess(CDMA)•GeneralPacketRadioService(GPRS).•Satellitecommunications.

0

Requirement6-Developandmaintainsecuresystemsandapplications. 0Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities.

0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.

0

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty.

0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers.

0

Requirement6.4.4-Removaloftestdataandaccountsbeforeproductionsystemsbecomeactive. 0Requirement6.5-5Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop

0

6/12/2016 3

25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements.Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws.

0

Requirement6.5.2-Bufferoverflow 0Requirement6.5.3-Insecurecryptographicstorage 0Requirement6.5.4-Insecurecommunications 0Requirement6.5.5-Impropererrorhandling 0Requirement6.5.7-Crosssitescripting(XSS) 0Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions).

0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement

0

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic.

0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess.

0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities.

0

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric.

0

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents.

0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses).

0

Section Violation By Issue0Uniqueissuesdetectedacross0/32sectionsoftheregulation:

URL Entity Issue Type Sections

Detailed Security Issues by Sections

6/12/2016 4

Requirement2-Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters. 0

Requirement2.1-Alwayschangevendor-supplieddefaultsandremoveordisableunnecessarydefaultaccountsbeforeinstallingasystemonthenetwork.ThisappliestoALLdefaultpasswords,includingbutnotlimitedtothoseusedbyoperatingsystems,softwarethatprovidessecurityservices,applicationandsystemaccounts,point-of-sale(POS)terminals,SimpleNetworkManagementProtocol(SNMP)communitystrings,etc.) 0

Requirement2.2.2-Enableonlynecessaryservices,protocols,daemons,etc.,asrequiredforthefunctionofthesystem. 0

Requirement2.2.4-Configuresystemsecurityparameterstopreventmisuse. 0

Requirement2.2.5-Removeallunnecessaryfunctionality,suchasscripts,drivers,features,subsystems,filesystems. 0

Requirement2.3-Encryptallnon-consoleadministrativeaccessusingstrongcryptography.UsetechnologiessuchasSSH,VPN,orSSL/TLSforwebbasedmanagementandothernonconsoleadministrativeaccess. 0

6/12/2016 5

Requirement2.6-Thissectionappliestowebapplicationsthatareusedbyhostingprovidersforhostingpurposes–Hostingprovidersmustprotecteachentity’shostedenvironmentanddata. 0

Requirement4-Encrypttransmissionofcardholderdataacrossopen,publicnetworks. 0

Requirement4.1-Usestrongcryptographyandsecurityprotocols(forexampleTLS,IPSEC,SSH,etc.)tosafeguardsensitivecardholderdataduringtransmissionoveropen,publicnetworks,includingthefollowing:•Onlytrustedkeysandcertificatesareaccepted.•Theprotocolinuseonlysupportssecureversionsorconfigurations.•Theencryptionstrengthisappropriatefortheencryptionmethodologyinuse.Examplesofopen,publicnetworksincludebutarenotlimitedto:•TheInternet•Wirelesstechnologies,including802.11andBluetooth•Cellulartechnologies,forexample,GlobalSystemforMobilecommunications(GSM),Codedivisionmultipleaccess(CDMA)•GeneralPacketRadioService(GPRS).•Satellitecommunications. 0

Requirement6-Developandmaintainsecuresystemsandapplications. 0

Requirement6.1-Establishaprocesstoidentifysecurityvulnerabilities,usingreputableoutsidesourcesforsecurityvulnerabilityinformation,andassignariskranking(forexample,as“high,”“medium,”or“low”)tonewlydiscoveredsecurityvulnerabilities. 0

Requirement6.2-Ensurethatallsystemcomponentsandsoftwareareprotectedfromknownvulnerabilitiesbyinstallingapplicablevendor-suppliedsecuritypatches.Installcriticalsecuritypatcheswithinonemonthofrelease.0

6/12/2016 6

Requirement6.3-Developinternalandexternalsoftwareapplications(includingweb-basedadministrativeaccesstoapplications)securely,asfollows:•InaccordancewithPCIDSS(forexample,secureauthenticationandlogging)•Basedonindustrystandardsand/orbestpractices.•Incorporatinginformationsecuritythroughoutthesoftware-developmentlifecycleNote:thisappliestoallsoftwaredevelopedinternallyaswellasbespokeorcustomsoftwaredevelopedbyathirdparty. 0

Requirement6.3.1-Removedevelopment,testand/orcustomapplicationaccounts,userIDs,andpasswordsbeforeapplicationsbecomeactiveorarereleasedtocustomers. 0

Requirement6.4.4-Removaloftestdataandaccountsbeforeproductionsystemsbecomeactive. 0

Requirement6.5-5Addresscommoncodingvulnerabilitiesinsoftware-developmentprocessesasfollows:•Traindevelopersinsecurecodingtechniques,includinghowtoavoidcommoncodingvulnerabilities,andunderstandinghowsensitivedataishandledinmemory.•Developapplicationsbasedonsecurecodingguidelines.Note:Thevulnerabilitieslistedat6.5.1through6.5.10werecurrentwithindustrybestpracticeswhenthisversionofPCIDSSwaspublished.However,asindustrybestpracticesforvulnerabilitymanagementareupdated(forexample,theOWASPGuide,SANSCWETop25,CERTSecureCoding,etc.),thecurrentbestpracticesmustbeusedfortheserequirements. 0

6/12/2016 7

Requirement6.5.1-Injectionflaws,particularlySQLinjection.AlsoconsiderOSCommandInjection,LDAPandXPathinjectionflawsaswellasotherinjectionflaws. 0

Requirement6.5.2-Bufferoverflow 0

Requirement6.5.3-Insecurecryptographicstorage 0

Requirement6.5.4-Insecurecommunications 0

Requirement6.5.5-Impropererrorhandling 0

Requirement6.5.7-Crosssitescripting(XSS) 0

Requirement6.5.8-Improperaccesscontrol(suchasinsecuredirectobjectreferences,failuretorestrictURLaccess,directorytraversal,andfailuretorestrictuseraccesstofunctions). 0

Requirement6.5.9-Crosssiterequestforgery(CSRF) 0

6/12/2016 8

Requirement6.5.10-BrokenauthenticationandsessionmanagementNote:Requirement6.5.10isabestpracticeuntilJune30,2015,afterwhichitbecomesarequirement 0

Requirement6.6-Forpublic-facingwebapplications,addressnewthreatsandvulnerabilitiesonanongoingbasisandensuretheseapplicationsareprotectedagainstknownattacksbyeitherofthefollowingmethods:•Reviewingpublic-facingwebapplicationsviamanualorautomatedapplicationvulnerabilitysecurityassessmenttoolsormethods,atleastannuallyandafteranychangesNote:ThisassessmentisnotthesameasthevulnerabilityscansperformedforRequirement11.2.•Installinganautomatedtechnicalsolutionthatdetectsandpreventsweb-basedattacks(forexample,aweb-applicationfirewall)infrontofpublic-facingwebapplications,tocontinuallycheckalltraffic. 0

Requirement7-Restrictaccesstodatabybusinessneed-to-know 0

Requirement7.1-Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejobrequiressuchaccess. 0

Requirement7.1.2-RestrictaccesstoprivilegeduserIDstoleastprivilegesnecessarytoperformjobresponsibilities. 0

6/12/2016 9

Requirement8.2-InadditiontoassigningauniqueID,ensureproperuser-authenticationmanagementfornon-consumerusersandadministratorsonallsystemcomponentsbyemployingatleastoneofthefollowingmethodstoauthenticateallusers:•Somethingyouknow,suchasapasswordorpassphrase•Somethingyouhave,suchasatokendeviceorsmartcard•Somethingyouare,suchasabiometric. 0

Requirement8.2.1-Usingstrongcryptography,renderallauthenticationcredentials(suchaspasswords/phrases)unreadableduringtransmissionandstorageonallsystemcomponents. 0

Requirement8.7-Allaccesstoanydatabasecontainingcardholderdata(includingaccessbyapplications,administrators,andallotherusers)isrestrictedasfollows:•Alluseraccessto,userqueriesof,anduseractionsondatabasesarethroughprogrammaticmethods.•Onlydatabaseadministratorshavetheabilitytodirectlyaccessorquerydatabases.•ApplicationIDsfordatabaseapplicationscanonlybeusedbytheapplications(andnotbyindividualusersorothernon-applicationprocesses). 0

6/12/2016 10

Web Application Report

Thisreportincludesimportantsecurityinformationaboutyourwebapplication.

[US] Federal Information Security Mgmt. Act (FISMA)Compliance ReportThisreportwascreatedbyIBMSecurityAppScanStandard9.0.3.1iFix001,Rules:1999Scanstarted:6/3/20161:18:37PM

Regulations

Federal Information Security Management Act (FISMA)

Summary

TheFederalInformationSecurityManagementAct(FISMA)waspassedbyCongressandsignedintolawbythePresidentaspartoftheElectronicGovernmentActof2002.Itprovidesaframeworktoensurecomprehensivemeasuresaretakentosecurefederalinformationandassets.Itrequireseachfederalagencytodevelop,document,andimplementanagency-wideprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.

TheOfficeofManagementandBudget(OMB)requiresfederalagenciestopreparePlansofActionandMilestonesProcess(POAandMs)reportsforallprogramsandsystemswheretheyhavefoundanITsecurityweakness.CIOsandagencyprogramofficialsmustdevelop,implement,andmanagePOAandMsforallprogramsandsystemstheyoperateandcontrol.ProgramofficialsmustregularlyupdatetheagencyCIOontheirprogresssotheCIOcanmonitoragency-wideremediationeffortsandprovidetheagency’squarterlyupdatetoOMB.

AgenciesmustsubmitareporttotheOMBthatsummarizestheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

OMBusesthereportstohelpevaluategovernment-widesecurityperformance,developitsannualsecurityreporttoCongress,assistinimprovingandmaintainingadequateagencysecurityperformance,andinformdevelopmentoftheE-GovernmentScorecardunderthePresident’sManagementAgenda.ThereportmustsummarizetheresultsofannualITsecurityreviewsofsystemsandprograms,andanyprogresstheagencyhasmadetowardsfulfillingtheirFISMAgoalsandmilestones.

FISMArequiresthatfederalagencyofficialsunderstandthecurrentstatusoftheirsecurityprogramsandthesecuritycontrolsplannedorinplacetoprotecttheirinformationandinformationsystemsinordertomakeinformedjudgmentsandinvestmentsthatappropriatelymitigaterisktoanacceptablelevel.Theultimateobjectiveistoconducttheday-to-dayoperationsoftheagencyandtoaccomplishtheagency'sstatedmissionswithadequatesecurity,orsecuritycommensuratewithrisk,includingthemagnitudeofharmresultingfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformation.

FISMAImplementation

PhaseI:StandardsandGuidelinesDevelopment

ThefirstphaseoftheFISMAImplementationProjectfocusesonthedevelopmentandupdatingofthesecurity

6/12/2016 1

standardsandguidancerequiredtoeffectivelyimplementtheprovisionsofthelegislation.TheimplementationoftheNISTstandardsandguidancewillhelpagenciescreateandmaintainrobustinformationsecurityprogramsandeffectivelymanagerisktoagencyoperations,agencyassets,andindividuals.

PhaseII:ImplementationandAssessmentAids

ThesecondphaseoftheFISMAImplementationProjectisfocusedonprovidinginformationsystemimplementationandassessmentreferencematerialsforbuildingcommonunderstandinginapplyingtheNISTsuiteofpublicationssupportingtheRiskManagementFramework(RMF).

NISTImplementationDocuments

NISTdevelopsandissuesstandards,guidelinesandotherpublicationstoassistfederalagenciesinimplementingFISMA,includingminimumrequirements,forprovidingadequateinformationsecurityforallagencyoperationsandassetsbutsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems.

FederalInformationProcessingStandards(FIPS)areapprovedbytheSecretaryofCommerceandissuedbyNISTinaccordancewithFISMA.FIPSarecompulsoryandbindingforfederalagencies.FISMArequiresthatfederalagenciescomplywiththesestandards,andtherefore,agenciesmaynotwaivetheiruse.FIPS200mandatestheuseofSpecialPublication800-53,asamended.

AppScanandFISMA

AppScan'sFISMAcompliancereportwillautomaticallydetectpossibleissuesinyourWebenvironmentthatmayberelevanttoyouroverallcompliancewiththeminimumsecuritycontrolsrecommendationsassetinthesecuritycatalogofNISTSpecialPublication80053.ThisreportwasconstructedaccordingtotheHIGH-IMPACTInformationSystemsbaseline.Organizationsthatuselowormoderatecontrolbaselinemayhavetoadjusttheresultsaccordingly.

CoveredEntities

AllFederalagenciesandorganizationswhichpossessoruseFederalinformation--orwhichoperate,use,orhaveaccesstoFederalinformationsystems--onbehalfofaFederalagency,includingcontractors,grantees,Stateandlocalgovernments,andindustrypartners.

EffectiveDate

December2002

ComplianceRequiredby

FederalagenciesmustsubmittheirannualITreviewreportstotheOMBbyOctoberofeachyear.

6/12/2016 2

Regulators/Auditors

TheOfficeofManagementandBudget(OMB).

Formoreinformationonsecuringwebapplications,pleasevisit:http://www-01.ibm.com/software/rational/offerings/websecurity/

The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstratepotential vulnerabilities in your application that should be corrected in order to reduce the likelihood that yourinformation will be compromised. As legal advice must be tailored to the specific application of each law, and lawsare constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel.IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's soleresponsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevantlaws and regulatory requirements that may affect the customer's business and any actions the customer may need totake to comply with such laws.

Violated SectionIssuesdetectedacross0/23sectionsoftheregulation:

SectionsNumberofIssues

Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency;

0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident;

0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies.

0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions.

0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber].

0

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures.

0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections.

0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,and

0

6/12/2016 3

approvesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures.NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices].

0

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers).

0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod].

0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity].

0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse.

0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation.

0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported.

0

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards].

0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation.

0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards.

0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode;

0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures;

0

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries;

0

Section Violation By Issue0Uniqueissuesdetectedacross0/23sectionsoftheregulation:

URL Entity Issue Type Sections

6/12/2016 4

Detailed Security Issues by Sections

Sec.3544.(A),Sec.3547(1)-Theheadofeachagencyshallberesponsibleforprovidinginformationsecurityprotectionscommensuratewiththeriskandmagnitudeoftheharmresultingfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructionof—(i)informationcollectedormaintainedbyoronbehalfoftheagency;and(ii)informationsystemsusedoroperatedbyanagencyorbyacontractorofanagencyorotherorganizationonbehalfofanagency; 0

Sec.3544.(B)-Theheadofeachagencyshallberesponsibleforcomplyingwiththerequirementsofthissubchapterandrelatedpolicies,procedures,standards,andguidelines,including—(i)informationsecuritystandardspromulgatedundersection11331oftitle40;and(ii)informationsecuritystandardsandguidelinesfornationalsecuritysystemsissuedinaccordancewithlawandasdirectedbythePresident; 0

NISTSP800_53,AC-3-Theinformationsystemenforcesapprovedauthorizationsforlogicalaccesstoinformationandsystemresourcesinaccordancewithapplicableaccesscontrolpolicies. 0

NISTSP800_53,AC-6-Theorganizationemploystheprincipleofleastprivilege,allowingonlyauthorizedaccessesforusers(orprocessesactingonbehalfofusers)whicharenecessarytoaccomplishassignedtasksinaccordancewithorganizationalmissionsandbusinessfunctions. 0

NISTSP800_53,AC-10-Theinformationsystemlimitsthenumberofconcurrentsessionsforeach[Assignment:organization-definedaccountand/oraccounttype]to[Assignment:organization-definednumber]. 0

6/12/2016 5

NISTSP800_53,AC-11-TheOrganizationpreventsfurtheraccesstothesystembyinitiatingasessionlockafter[Assignment:organization-definedtimeperiod]ofinactivityoruponreceivingarequestfromauser;andretainsthesessionlockuntiltheuserreestablishesaccessusingestablishedidentificationandauthenticationprocedures. 0

NISTSP800_53,AC-17-Theorganization:Establishesanddocumentsusagerestrictions,configuration/connectionrequirements,andimplementationguidanceforeachtypeofremoteaccessallowed;andAuthorizesremoteaccesstotheinformationsystempriortoallowingsuchconnections. 0

NISTSP800_53,CM-6-Theorganization:a.Establishesanddocumentsconfigurationsettingsforinformationtechnologyproductsemployedwithintheinformationsystemusing[Assignment:organization-definedsecurityconfigurationchecklists]thatreflectthemostrestrictivemodeconsistentwithoperationalrequirements;b.Implementstheconfigurationsettings;c.Identifies,documents,andapprovesanydeviationsfromestablishedconfigurationsettingsfor[Assignment:organization-definedinformationsystemcomponents]basedon[Assignment:organization-definedoperationalrequirements];andd.Monitorsandcontrolschangestotheconfigurationsettingsinaccordancewithorganizationalpoliciesandprocedures. 0

NISTSP800_53,CM-7-Theorganization:a.Configurestheinformationsystemtoprovideonlyessentialcapabilities;andb.Prohibitsorrestrictstheuseofthefollowingfunctions,ports,protocols,and/orservices:[Assignment:organization-definedprohibitedorrestrictedfunctions,ports,protocols,and/orservices]. 0

6/12/2016 6

NISTSP800_53,IA-2-Theinformationsystemuniquelyidentifiesandauthenticatesorganizationalusers(orprocessesactingonbehalfoforganizationalusers). 0

NISTSP800_53,IA-4.D-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbypreventingreuseofuserordeviceidentifiersfor[Assignment:organization-definedtimeperiod]. 0

NISTSP800_53,IA-4.E-Theorganizationmanagesinformationsystemidentifiersforusersanddevicesbydisablingtheuseridentifierafter[Assignment:organization-definedtimeperiodofinactivity]. 0

NISTSP800_53,IA-5.C-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbyensuringthatauthenticatorshavesufficientstrengthofmechanismfortheirintendeduse. 0

NISTSP800_53,IA-5.E-Theorganizationmanagesinformationsystemauthenticatorsforusersanddevicesbychangingdefaultcontentofauthenticatorsuponinformationsysteminstallation. 0

NISTSP800_53,RA-5.A-Theorganization:a.Scansforvulnerabilitiesintheinformationsystemandhostedapplications[Assignment:organization-definedfrequencyand/orrandomlyinaccordancewithorganization-definedprocess]andwhennewvulnerabilitiespotentiallyaffectingthesystem/applicationsareidentifiedandreported. 0

6/12/2016 7

NISTSP800_53,SC-5-Theinformationsystemprotectsagainstorlimitstheeffectsofthefollowingtypesofdenialofserviceattacks:[Assignment:organization-definedtypesofdenialofserviceattacksorreferencetosourceforsuchinformation]byemploying[Assignment:organization-definedsecuritysafeguards]. 0

NISTSP800_53,SC-8-Theinformationsystemprotectsthe[Selection(oneormore):confidentiality;integrity]oftransmittedinformation. 0

NISTSP800_53,SC-13-Theinformationsystemimplements[Assignment:organization-definedcryptographicusesandtypeofcryptographyrequiredforeachuse]inaccordancewithapplicablefederallaws,ExecutiveOrders,directives,policies,regulations,andstandards. 0

NISTSP800_53,SC-23-Theinformationsystemprotectstheauthenticityofcommunicationssessions. 0

NISTSP800_53,SI-3.A-Employsmaliciouscodeprotectionmechanismsatinformationsystementryandexitpointstodetectanderadicatemaliciouscode; 0

NISTSP800_53,SI-3.B-Theorganizationupdatesmaliciouscodeprotectionmechanismswhenevernewreleasesareavailableinaccordancewithorganizationalconfigurationmanagementpolicyandprocedures; 0

6/12/2016 8

NISTSP800_53,SI-10-Theinformationsystemchecksthevalidityofinformationinputs. 0

NISTSP800_53,SI-11.A-Generateserrormessagesthatprovideinformationnecessaryforcorrectiveactionswithoutrevealinginformationthatcouldbeexploitedbyadversaries; 0

6/12/2016 9