- June 22, 2022
- Posted by: Reshma Ravi
- Category: Digital Assurance
Healthcare systems are under immense pressure after COVID-19 pandemic. Healthcare providers have now to be prepared to handle unprecedented numbers of patients, which is increasingly bringing new challenges in managing and scaling operations. The federal, state, and local governments were in full crisis response mode.
Contact us for your software testing needs and more!
Get in touch
The COVID-19 pandemic has triggered an acute need for healthcare providers to avail the assistance of technology solution providers that offer solutions based on industry-wide regulations like FedRAMP.
Nowadays, IT and tech solutions are developing applications keeping compliance in mind. Healthcare providers and public agencies can implement such digital applications to address the challenges. However, the best digital healthcare application is the one that has gone through the best testing process. We help you know this by discussing the best testing approach for healthcare applications in the context of FEDRAMP.
This blog might be of your interest: Mobile Application Testing Solutions For New-age Mobile Applications
About FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a risk-based approach to adopt and leverage the cloud by the federal government. Established in 2011, it is intended to empower enterprises with new-age cloud capabilities. A cost-effective approach, it emphasizes security of federal information, authorization, and continuous monitoring of cloud’s performance and its products.
Why FedRAMP?
Some of the reasons explaining the importance of FedRAMP are as below:
- FedRAMP governs the security and risk assessment of cloud by providing a set of standards.
- Any application of cloud by a public agency must comply with FedRAMP standards.
- As a rigorous process, FedRAMP evaluation offers a standardized approach to security assessment, authorization, and continuous monitoring. Each of these requirements must be satisfied to prevent falling out of compliance.
- FedRAMP effectively helps reduce duplication and inconsistencies and facilitates cost efficiencies.
- FedRAMP establishes a public-private partnership to promote innovation and the advancement of more secure information technologies. With FedRAMP, you can forge public-private partnerships and drive innovation for more secured IT framework.
- FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale. FedRAMP helps create transparent standards and processes which agencies can leverage and scale with ease. This feature of FedRAMP accelerates cloud adoption by agencies.
Authorization through an agency and process in FedRAMP:
The Agency Authorization process allows agencies to work with a CSP (Cloud Service provider as and when required. When a CSP decides to work with an agency to avail Authority to Operate (ATO), they get to work with the agency throughout the FedRAMP authorization lifecycle. Listed below are the different processes that go into the authorization process.
- Readiness Assessment –To achieve the FedRAMP-ready tag, it is essential on the part of CSP to partner with a certified 3PAO (Third Party Assessment Organization). It is then only that completing assessment of readiness would be feasible. The RAR (Readiness Assessment Report) records the capability of CSP to meet security requirements.
- Pre-Authorization– CSP establishes a formal partnership with an agency through requirements specified in the marketplace. In this process, CSP has to ensure that the leadership is committed to implementing FedRAMP process. Moreover, it has to ensure the security categorization. The last step is to initiate the kickoff meeting so that background functionality and technical security are ensured and there are not compliance gaps.
- Full Security Assessment –Before this process, it is expected that SSP is complete and approved by the agency. An independent audit is conducted by 3PAO with an aim to test the CSP’s system. Security Assessment Report (SAR) are prepared, based on which CSP develops POA&M (Plan of Action for achieving Milestones)
- Agency Authorization Process –. This process involves the agency conducting a review of security authorization package. CSP initiates remediation as per the results of the review. Finally, the agency customer drives risk analysis before issuing an ATO. The CSP and 3ATO then uploads all requisite security material to FedRAMP’s secured repository. This is followed by the review of the security assessment materials to be included in the marketplace.
- Continuous Monitoring – All the agency customers must be kept informed and updated with security deliverables. So, CSP ha to provide periodic deliverables for security. This includes vulnerability scans, annual security assessments, significant change requests, incident reports and updated POA&M. Through the services, each agency conducts periodic (monthly and annual) monitoring of deliverables.
Learn how indium conducted test automation processes for a sales force application
Click Here
Strategy for compliance testing
Indium will follow several strategies in its digital assurance solutions to perform various compliance tests to ensure the application security. Below are the types to testing requirements involved during testing for FEDRAMP requirements.
Web Application/ Mobile Application /Application Program Interface (API) Testing:
- Cloud Access – Roles associated to the cloud access and access limitations.
- Configuration – Web server configuration level validation.
- Authentication and Session Management – Validates how session is created between browsers/devices and maintains session state.
- Data Storage – Verify Encryption outside application platform.
- API – Perform internet searches to identify any publicly available information on the target web application and make sure all input elements are validated.
High-level Testing activities to meet the FedRAMP Req.:
| Security Controls | Validation Name |
| ACCESS CONTROL | PUBLICLY ACCESSIBLE CONTENT |
| ACCESS CONTROL | ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES |
| ACCESS CONTROL | CONCURRENT SESSION CONTROL |
| ACCESS CONTROL | SESSION LOCK |
| ACCESS CONTROL | SESSION TERMINATION |
| ACCESS CONTROL | UNSUCCESSFUL LOGON ATTEMPTS |
| ACCESS CONTROL | PRVILAGED ACCESS/DENIED ACCESS |
| ACCESS CONTROL | AUTHENTICATION AND ENCRYPTION |
| AWARNESS AND TRAINING | ROLE-BASED SECURITY TRAINING |
| AWARNESS AND TRAINING | SECURITY AWARENESS TRAINING |
| AUDIT | AUDIT EVENTS |
| AUDIT | AUDIT REVIEW, ANALYSIS, AND REPORTING |
| AUDIT | RESPONSE TO AUDIT PROCESSING FAILURES |
| SECURITY ASSESSMENT AND AUTHORIZATION | CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT |
| SECURITY ASSESSMENT AND AUTHORIZATION | PENETRATION TESTING |
| CONFIGURATION MANAGEMENT | CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES |
| CONFIGURATION MANAGEMENT | SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS |
| CONFIGURATION MANAGEMENT | ACCESS RESTRICATIONS FOR CHANGE |
| CONFIGURATION MANAGEMENT | ALERTS FOR UNAUTHORIZED INSTALLATIONS |
| CONTINGENCY PLANNING | CONTINGENCY PLAN TESTING |
| CONTINGENCY PLANNING | BACKUP ACTIVITIES – PRIMARY and SECONDARY REGION |
| CONTINGENCY PLANNING | TESTING FOR RELIABILITY / INTEGRITY |
| IDENTIFICATION AND AUTHENTICATION | VALIDATION OF LOCAL ACCESS, REMOTE ACCESS, NETWORK ACCESS |
| IDENTIFICATION AND AUTHENTICATION | AUTHENTICATOR MANAGEMENT |
| INCIDENT RESPONSE | IR TRAINING AND TESTING |
| MAINTANANCE | CONTROLLED MAINTENANCE |
| MAINTANANCE | SYSTEM MESSAGES – MANUAL AND AUTOMATIC |
Check this out : Automation Testing for Financial Services Application
Network & Penetration Testing:
Below is the process that will be ensured as a part of network and penetration testing to ensure the FEDRAMP requirement
• Security assessment schedule
• Describe Tools for security controls
• Injection Analysis & Broken Authentication / Authorization (API & Web)
• Vulnerability Assessment & Penetration Test on API (request & response) & Web.
• Vulnerability analysis on API, APK & iOS
For information about indium’s digital assurance services
Contact us
Stages in Vulnerability assessment:
| Web Application Security Analysis |
| Injection Analysis & Broken Authentication / Authorization (API & Web) |
| Vulnerability Assessment & Penetration Test on API (request & response) & Web. |
| Vulnerability analysis on API, APK & iOS |
| Improper usage of platform and poorly secured data storage (API, APK & iOS) |
| Poorly secured Authorization & Communication (API, APK & iOS) |
| Code Tampering & Reverse Engineering (APK & iOS) |
| Runtime / Dynamic Analysis (APK & iOS) |
| Component exploitation |
| SSL Pinning |
| Root & Emulator detection |
Tools to validate:
| Platform | Tools |
| Web | OWASP-ZAP, NMAP, Nessus essentials |
| Web & Mobile | Burp Suite |
| APK | ADB, Drozer, JD-GUI, Dex2Jar, APK Tool |
| APK & iOS | Mob-SF,Frida |
| iOS | Cydia, Objection |
| VAPT – API – Scenarios: Broken object level authentication Injection attacks Authentication and Authorization Access ControlSecurity Misconfiguration Sensitive Data exposure MITM attacks Components with vulnerabilities Indirect object reference |
| VAPT – Mobile & Web Scenarios: Poor platform usage Poor data storage Poor communication Weak authentication Weak Cryptography Poor authorization security Quality of client code(apk) Code tamperingMITM Attacks |