ZOFixer generates reports that enable you to communicate security discoveries with management and regulatory organizations. In the Advanced Penetration Test package, all compliance is checked and reported.
- GDPR Compliance
- PCI Compliance
- CWE / SANS – Top 25 Most Dangerous Software Errors Compliance
- HIPAA Compliance
- ISO 27001 Compliance
- OWASP Top 10 Compliance
- DISA STIG Web Security Compliance
- Web Application Security Consortium (WASC) Threat Classification Compliance
1- GDPR Compliance
You get a detailed report on the Advance penetration test package that includes your score for GDPR compliance.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don’t specifically market goods or services to EU residents.
Read more https://gdpr.eu/what-is-gdpr/
2- PCI Compliance
You get a detailed report on the Advance penetration test package that includes PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process.
Read more https://www.pcisecuritystandards.org/
3- CWE / SANS – Top 25 Most Dangerous Software Errors Compliance
You get a detailed report on the Advance penetration test package that includes CWE / SANS – Top 25 Most Dangerous Software Errors.
Click on the CWE ID in any of the listings and you will be directed to the relevant spot in the MITRE CWE site where you will find the following:
- Ranking of each Top 25 entry,
- Links to the full CWE entry data,
- Data fields for weakness prevalence and consequences,
- Remediation cost,
- Ease of detection,
- Code examples,
- Detection Methods,
- Attack frequency and attacker awareness
- Related CWE entries, and
- Related patterns of attack for this weakness.
Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.
Rank | ID | Name |
---|---|---|
1 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
3 | CWE-20 | Improper Input Validation |
4 | CWE-200 | Information Exposure |
5 | CWE-125 | Out-of-bounds Read |
6 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
7 | CWE-416 | Use After Free |
8 | CWE-190 | Integer Overflow or Wraparound |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) |
10 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
11 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
12 | CWE-787 | Out-of-bounds Write |
13 | CWE-287 | Improper Authentication |
14 | CWE-476 | NULL Pointer Dereference |
15 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
16 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
17 | CWE-611 | Improper Restriction of XML External Entity Reference |
18 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) |
19 | CWE-798 | Use of Hard-coded Credentials |
20 | CWE-400 | Uncontrolled Resource Consumption |
21 | CWE-772 | Missing Release of Resource after Effective Lifetime |
22 | CWE-426 | Untrusted Search Path |
23 | CWE-502 | Deserialization of Untrusted Data |
24 | CWE-269 | Improper Privilege Management |
25 | CWE-295 | Improper Certificate Validation |
4- The Health Insurance Portability and Accountability Act (HIPAA) Compliance
You get a detailed report on the Advance penetration test package that includes HIPPA compliance.
Part of the HIPAA Act defines the policies, procedures, and guidelines for maintaining the privacy and security of individually identifiable health information. This report identifies the vulnerabilities that might be infringing these policies. The vulnerabilities are grouped by the sections as defined in the HIPAA Act.
Read more https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
5- ISO 27001 Compliance
You get a detailed report on the Advance penetration test package that includes ISO 27001 compliance.
ISO 27001, a member of the ISO/IEC 27000 family of standards, explicitly describes a management system designed to put information security under explicit management control. This report finds vulnerabilities that may be in violation of the standard and categorizes them according to the sections stated in the standard.
Read more https://www.iso.org/isoiec-27001-information-security.html
6- OWASP Top 10 Compliance
You get a detailed report on the Advance penetration test package that includes OWASP Top 10 compliance.
The Open Web Application Security Project (OWASP) is a web security project led by an international community of corporations, educational institutions and security researchers. OWASP is renowned for its work in web security, specifically through its list of top 10 web security risks to avoid. This report shows which of the detected vulnerabilities are found on the OWASP top 10 vulnerabilities.
Read more https://owasp.org/www-project-top-ten/
7- DISA STIG Web Security Compliance
You get a detailed report on the Advance penetration test package that includes DISA STIG Web Security compliance.
The Security Technical Implementation Guide (STIG) is a configuration guide for computer software and hardware defined by the Defense Information System Agency (DISA), which is part of the United States Department of Defense. This report identifies vulnerabilities that violate sections of STIG and groups the vulnerabilities by the sections of the STIG guide which are being violated.
8- Web Application Security Consortium (WASC) Threat Classification Compliance
You get a detailed report on the Advance penetration test package that includes WASC threat classification compliance.
The Online Application Security Consortium (WASC) is a non-profit organization comprised of worldwide security specialists that have developed a threat rating system for web vulnerabilities. The vulnerabilities found on your site using the WASC threat classification methodology are grouped in this report.