Security Innovation offers a range of services that help organizations resolve vulnerabilities and weaknesses in a portfolio of enterprise applications, a stand-alone application, an embedded software system, or within the software development process itself.
Our experts use a combination of commercial, open source and internally built tools to complement manual efforts. We leverage automated tools to perform high level scanning to discover common vulnerabilities, combined with manual techniques and expert tool usage for effectiveness and efficiency. We’ve performed extensive research on the various tools available and we carefully choose those that we feel are the most efficient and accurate.
Core to our assessments are internally developed, specialized tools and scripts that help reduce the assessment time and uncover deeply rooted or elusive vulnerabilities. Commonly used tools include custom fuzzers, environment simulators, static analyzers, encoders/decoders, proxies to capture and manipulate traffic, regex matchers, etc. We also have custom scripts that are used to simulate complex attacks.
The heart of any assessment is the skillset of the engineers. Manual testing and review requires a deep understanding of the technologies being used, the development language, the application’s environment, and how software fundamentally functions and fails with respect to security. Additionally, tools need to be operated by experts so they can be leveraged properly and results can be interpreted correctly and quickly.
We hire only proven application security experts and we ensure our engineers have the right mix of skills to be effective testers: software engineering background, knowledge of various technologies and application scenarios, and a creative imagination. Additionally, we ensure that each engineer brings a unique skill to the team whether it is expertise in a specific platform, development language, industry standard, etc. When we engage with a customer, we match our expert(s) with the skills most needed for that assessment.
Each platform has unique threats, built-in defenses and attack vectors. This is where our approach of threat modeling paired with an expert on that platform yields high performance (and highly repeatable) results.
Web application testing is used to find vulnerabilities in web clients, servers, and back-end databases. Making use of proxies, commercial scanners, internally developed tools and scripts, and manual efforts, our team uncovers threats from internal and external users.
We have tested Web applications for Technology, e-Commerce, , Marketing, Banking, and other business purposes for HP, Microsoft, Discover, Akamai, Credit-Suisse and others.
This assessment identifies and mitigates vulnerabilities in mobile applications, devices, and back-end systems. Our experts focus on the unique threats and weaknesses and routinely bypass client protections and masquerade as a rogue client a rogue server.
We have tested Mobile Banking, E-Commerce, and Payment Systems for Kronos, HP, Reuters, SAP, Microsoft and others. We’ve tested all major mobile Operating Systems including iOS (iPad/iPhone), Blackberry, Android, Windows Mobile, Symbian, and Windows Phone 7.
Thick client applications can be stand-alone or part of a client-server architecture. Our protocol and binary reverse engineering skills allows us to discover vulnerabilities in applications that may remain hidden from other tools and assessments. Leveraging fault-simulation technologies, we force thick clients into hostile environments and test error-handling and other kinds of boundary condition behavior. Use of proprietary technologies equips our experts with unprecedented power to test thick client applications.
We have tested thick client applications for healthcare, retail, software and other vertical markets for companies such as Philips Medical, Microsoft, Tyco and Sony.
Loss of control of data is the biggest threat when implementing a solution the cloud, so we focus on ensuring that data is secured at rest and in transit by validating encryption and data security components are implemented securely. We also focus on configuration of cloud services, making sure that authentication and authorization components can't be bypassed. Additionally, unauthorized access in the Cloud presents cost and reputation risks, so we look specifically for ways to attack bandwidth and storage moles and business requirements. For example, a vulnerability that allows an attacker to upload arbitrary files (a defect we discovered) could allow an attacker to consume massive amounts of bandwidth and they could potentially use your server to deliver malware or pornography.
We have done many assessments that use Amazon Web Service, Windows Azure, HP Cloud and others as their infrastructure. Sample assessments include HP CloudPrint, lifeIMAGE's OutBox, and Teradata's Active Data Warehouse Private Cloud.
Embedded software offer different challenges from other applications as there is often no direct user interface access. In 2009, Security Innovation acquired NTRU CryptoSystems, Inc., a company that specializes in testing and securing wireless and embedded systems. The combination of the NTRU engineers’ strong crypto and embedded architecture skills with Security Innovation’s software security analysis expertise has produced a unique skillset in the industry. We leverage these skills to test set-top boxes, personal entertainment devices, automotive communication systems and transactional kiosks.
Sample clients in the embedded space include TIVO, Sony, Qualcomm, US DoT and US Courts.
Our security experts deliver solutions that analyze security features, identify weaknesses, and enable effective implementation of your entire embedded automotive application. We leverage secure coding and embedded systems design skills to help secure automotive communication systems, in-vehicle infotainment (IVI), over-the-air (OTA) updates, advanced driver assistance systems (ADAS) and any other electronic control unit (ECU).
A key element of maintaining our expertise in emerging threats and technologies is the fact that we allocate a percentage of each engineer’s time to research in areas of their choice. This may take the form of an engineer learning Ruby on Rails, or one investigating latest attack trends for J2ME applications. Over the years, we’ve developed deep expertise in the following:
Our general approach to application assessments, regardless of the underlying technology, remains consistent. However, each language does have unique syntax and idiosyncrasies that require a level of customized testing, so it’s critical that we match the skill set of our engineers with the nature of the software. This is of particular importance when it comes to our ability to provide expert remediation recommendations.