PRODUCT SECURITY ASSESSMENTS
CENSUS provides specialized services for the security assessment of products and the implementation of a Secure Systems Development Lifecycle. A brief overview of the related services is provided below. To learn more about these services and how these can enhance the product development process please see our whitepaper on the subject.
Design Level Review - Enforce Security By Design by having CENSUS experts review design level documentation of software features / projects, hardware components / architectures, new protocols and network architectures.
Source Code Auditing - A manual line-by-line security review of a product's (or component's) source code coupled with functional security testing. This is the best way to identify software vulnerabilities and prepare for a high quality release. CENSUS provides source code auditing services for software implemented in the following programming languages:
- Objective C
- x86 & ARM Assembly (32bit and 64bit)
- Unix Shell
Device Security Testing - Comprehensive security testing for the hardware and software of electronic devices.
Application Security Testing - "Black box" security testing for any type of application, including desktop applications, mobile apps and web applications. Web Application Security Testing provides remote testing for the whole stack of deployed web applications, covering all desired functionalities and user roles. Mobile App Security Testing is a specialized service for in-depth testing of iOS & Android apps (including related web APIs and communications with other devices / software components).
Product Infrastructure Penetration Testing - Use the Network and Cloud Infrastructure Testing module of our "Organization Security Testing" services to test the security posture of the infrastructure (e.g. IaaS / PaaS / Kubernetes setup, host setup, container setup, firewall / IDS / IPS setup etc.) that supports a product release / installation.
Threat Modeling and other Security Documentation - Develop a Threat Model, to map out important threats and prioritize work on countermeasures. CENSUS can also prepare other required security documentation such as a Product Security Plan, a Security Architecture document, a Data Classification document or a Product Disposal Plan. Moreover, necessary procedures, documentation and risk assessments can be prepared to fulfill product pre-market / post-market cybersecurity requirements (e.g. medical device FDA pre-market submission requirements).
Secure SDLC - Specialized security assessment and consulting services to help businesses build and maintain a Secure Systems Development Lifecycle for products.
ORGANIZATION SECURITY TESTING
Organization Security testing is the process by which the security of an organization is systematically tested. Testing is performed with the same means that malicious actors use, under a methodology that makes the results of the tests beneficial to the under assessment organization.
The scope of the tests is not limited only to hardware and software resources, but includes all aspects of the organizational structure, such as processes and human resources.
CENSUS uses the latest attack techniques along with the results of its in-house vulnerability research to identify common and acknowledged vulnerabilities and distinguish the possibilities of zero day attacks. Our organization security testing services can be offered in various ways depending on the required depth of testing and the nature of the organization/client. The following options are available:
- Tiger Team - The ultimate security test; covers all aspects of an organization's infrastructure.
- Red Teaming - Simulates the attacks carried out by different threat agents against the organization.
- Penetration Testing - Customer-controlled security testing attacks.
- Web Application Penetration Testing - Test for vulnerabilities in custom and off-the-shelf web applications that create risks for the organization and its assets.
- Mobile Applications, Client-side Software, MDM Testing - Security testing for Mobile apps, Client-side software and MDM solutions used by the organization employees.
- Network and Cloud Infrastructure Testing - Examines the controls that protect the organization's servers and networks.
- Social Engineering - Tests the information security awareness of personnel.
- Physical Security Testing - Evaluates the reliability and integrity of Physical Security Controls.
A vulnerability is a state in a computing system that violates that system's security model. At CENSUS we recognize that security is not a goal but a process, therefore we heavily invest in research for unknown vulnerabilities as part of our security assessment services.
Our vulnerability research services ensure that a software product, a system implementation, or a new technology that an organization is planning to invest in meets strict security requirements and does not suffer from vulnerabilities. We can provide detailed deliverables that empower the client to make informed strategic decisions towards new technologies, choose the most secure solution that meets his requirements, and preemptively reduce investment risk.
CENSUS employs a top-down approach which allows the identification of the most exposed applications and systems in a client's IT environment, followed by a thorough investigation for unknown vulnerabilities in these elements. We have extensive experience and specialised knowledge in the field of vulnerability research and we employ focused techniques such as fuzzing, reverse engineering, source code auditing (in cases where source code is available), static and dynamic analysis in order to identify vulnerabilities and clearly demonstrate their impact on a system's security model.
CENSUS also provides training in the field of vulnerability research. Our education services include the detailed analysis of vulnerability classes in software systems (both in userland and kernel space), methodologies for identifying new vulnerabilities, and the development of targeted programs for exposing the impact of vulnerabilities. We normally do not confine our training to a single operating system, giving our clients the opportunity to be educated in a variety of platforms. However, we can provide vulnerability research training on a client-chosen operating system if so required.
If you have a business interest in our vulnerability research services, please contact us so we can provide you with detailed information.
CENSUS offers Security Training courses to improve the security awareness of personnel and allow developers / management to identify and mitigate security issues early on in the software development lifecycle.
Training courses are delivered by security experts and are based on material coming from best practices, international standards and field experience.
The courses currently offered are:
- Security Awareness Training
- Introduction to Software Security
- Web Application Vulnerabilities
- Mobile App Vulnerabilities (covering Android and iOS apps)
- Implementing a Secure Systems Development Lifecycle
- Secure Development in Java
- Secure Development in C/C++
- Security Tooling for Development Teams
- Security Tooling for QA Teams
CENSUS also delivers custom training sessions on topics selected by customers.
CENSUS offers Security Consulting services to organizations worldwide. Past projects include:
- the assessment of a transition to the cloud of an on-premise medical platform
- the orchestration of user authorization checks in a microservices architecture
- the assessment of the adoption of a specific NFC technology in an electronic identity system
- the assessment of binary protection solutions for desktop and mobile applications
- the assessment of MDM solutions
- the assessment of DRM technologies
- the development of security policies
Contact us to find out more on how your business can benefit from our Security Consulting services.