Identify Threats at any Development Phase
Our Software Assessment services identify security vulnerabilities and threats at any phase of development. For each, we’ll focus on areas where your application is most at risk, report back issues found, and provide remediation advice.
Application Penetration Testing
Leveraging security testing techniques derived from our top-selling book How to Break Software Security, our security engineers will employ manual attacks and specialized tooling to uncover vulnerabilities in your software. For both web and non-web applications, we follow a similar three step process:
Phase 1
Using sophisticated threat modeling techniques, our security team identifies the areas that attackers will likely exploit and determine the magnitude of the loss should those areas be penetrated. The modeling activity prioritizes the testing activities and highlights the areas where attacks could do the most damage, guiding the testing process for greatest effect.
Phase 2
Led by the prioritized threat model, the application develops a test plan that will guide the aggressive application penetration testing – applying not only the well known attacks and techniques that a hacker would typically employ, but proprietary attacks developed by Security Innovation that are designed to uncover deeper hiding vulnerabilities.
Phase 3
The application security team generates a detailed report that includes the complete threat model, the test methodology, the detailed findings for each identified threat area and severity ratings. The findings, along with appropriate remediation recommendations, are presented in a report and presented in person to the risk management team responsible for the application.
Security Code Review
A Code Review analyzes existing codebase and locates code constructs that lead to security vulnerabilities. The result is a detailed report outlining code issues and suggested repairs for improved security – allowing teams to better understand problem areas of their code and prevent common logic errors and other mistakes in the future.
Our expert security team employs a combination of static analysis tools and “eyes on” manual review to uncover the highest number of flaws possible – and provides remediation for those coding errors. Code reviews may be executed against applications written in C, C++ C#, Visual Basic, Visual Basic.NET, ABAP, and a myriad of web technologies including Ruby, PHP, AJAX, and Perl.
Threat Modeling
Threat Modeling is a key and often under-appreciated security analysis technique that Development, IT and Security teams use to identify critical risks and make better security decisions. Whether performed on an existing application or throughout the SDLC, it is the starting point in creating, deploying and maintaining secure software applications. Benefits include:
- Fast and practical – allows for many applications to be analyzed in a short period of time.
- Exposes REAL threats – not hypothetical or potential threats (very few or no false positives).
- Maps to each phase of the SDLC – drives design decisions, implementation guidelines, and testing activities.
- Produces a persistent and tangible asset – can be leveraged whenever new risks are uncovered.
