Security testing is the process by which the security of an organisation is systematically tested. Testing is performed with the same means that malicious users use, under a methodology that makes the results of the tests beneficial to the under assessment organisation. The scope of the tests is not limited only to hardware and software resources, but includes all aspects of the organisational structure, such as processes and human resources.
census uses the latest attack techniques along with the results of its in-house vulnerability research to identify common and acknowledged vulnerabilities and distinguish the possibilities of zero day attacks. Our security testing services can be offered in various ways depending on the required depth of testing and the nature of the organisation/client. The following options are available:
- Tiger Team - The ultimate security test; covers all aspects of an organisation's infrastructure.
- Penetration Testing - Customer-controlled security testing attacks.
- Web Application Testing - Security testing for custom and off-the-shelf web applications.
- Network Infrastructure Testing - Checks the security parameters of network components such as switches, routers, IPS, IDS, firewalls etc.
- Social Engineering - Tests the information security awareness of personnel.
The resulting information from our security testing sessions is provided in strong classification with regards to the threats and the risks associated with the identified and exploited vulnerabilities.
vulnerability researchA vulnerability is a state in a computing system that violates that system's security model. At census we recognise that security is not a goal but a process, therefore we heavily invest in research for unknown vulnerabilities as part of our security assessment services.
Our vulnerability research services ensure that a software product, a system implementation, or a new technology that an organisation is planning to invest in meets strict security requirements and does not suffer from vulnerabilities. We can provide detailed deliverables that empower the client to make informed strategic decisions towards new technologies, choose the most secure solution that meets his requirements, and preemptively reduce investment risk.
census employs a top-down approach which allows the identification of the most exposed applications and systems in a client's IT environment, followed by a thorough investigation for unknown vulnerabilities in these elements. We have extensive experience and specialised knowledge in the field of vulnerability research and we employ focused techniques such as fuzzing, reverse engineering, source code auditing (in cases where source code is available), static and dynamic analysis in order to identify vulnerabilities and clearly demonstrate their impact on a system's security model.
census also provides training in the field of vulnerability research. Our education services include the detailed analysis of vulnerability classes in software systems (both in userland and kernel space), methodologies for identifying new vulnerabilities, and the development of targeted programs for exposing the impact of vulnerabilities. We normally do not confine our training to a single operating system, giving our clients the opportunity to be educated in a variety of platforms. However, we can provide vulnerability research training on a client-chosen operating system if so required.
If you have a business interest in our vulnerability research services, please contact us so we can provide you with detailed information.
source code auditingIf your company is developing software, or purchasing custom software, then you must always be vigilant about vulnerabilities that can undermine the security of the end product and of the underlying operating system. census has extensive experience in auditing source code both for insufficient input validation vulnerabilities (like buffer overflows, XSS, SQL injections) and logic flaws (such as race conditions, concurrency violations).
Unlike traditional code auditing approaches, we do not rely on automated mechanisms to identify vulnerabilities. Instead, we follow a top-down approach which allows us to gain an understanding of the investigated system and provide a detailed source code vulnerability report to our clients.
census can provide source code auditing services for software implemented in the following languages:
- x86 Assembly
census can also provide software security testing services to companies that require an independent entity to assess the security of custom software they purchase from third parties.
Furthermore, we can provide training services for your company's developers in order to educate them about potential security vulnerabilities. We can help you enhance your software development lifecycle by incorporating security engineering principles into it rather than adding security as a retrofitted feature.
Detailed information (utilised methodologies and approaches, sample reports) for our source code auditing services are available upon expression of business interest.
Digital evidence plays a crucial role in modern crime investigations, since people rely more and more on computer infrastructures for both business and personal affairs. Crimes involving the unauthorized access to systems, processes and data, corporate espionage, cyber warfare but also identity theft, are all activities that are associated with some form of data manipulation, and as such, leave a digital trail.
At census laboratories, we examine these trails, searching for evidence that is legitimate and non-repudiable. Our clients then receive a detailed report on our findings, which may be used for judicial or other purposes.
malware analysisMalware is software written with the intent to attack computer systems and steal valuable data or gain full control of the underlying operating system and misuse its available resources (bandwidth, storage space). Today, organizations face a growing threat from targeted malware attacks.
At census we can analyse malware affecting your computer systems, collected during a digital forensics investigation or otherwise, and provide you with a detailed report on our findings. Specifically, our analysis identifies:
- the high level objectives and business impact of the analysed malware.
- the infection and spreading capabilities of the analysed malware. We employ a set of techniques (e.g. reverse engineering, disassembling, run-time monitoring) to fully explore the captured malicious piece of software.
- methods of disinfection and damage control procedures necessary to ensure business continuity.
custom software solutionsAt census we are very experienced at developing custom security software solutions. We can provide small, targeted applications tailored to specific needs, or large, enterprise-wide systems. We can also work as part of your development team in order to implement your security requirements.
Our primary focus is on custom applied cryptography solutions. Examples of previous contracted work include securing the communications and data transfers between existing systems and applications, enterprise PKI, secure storage and authorization databases. We advocate the use of published and widely adopted cryptographic algorithms and building blocks that have undergone academic scrutiny.