PRODUCT SECURITY ASSESSMENTS
CENSUS provides specialized services for the security assessment of products and the implementation of a Secure Systems Development Lifecycle. A brief overview of the related services is provided below. To learn more about these services and how these can enhance the product development process please see our whitepaper on the subject.
Design Level Review - Enforce Security By Design by having CENSUS experts review design level documentation of software features / projects, hardware components / architectures, new protocols and network architectures.
Source Code Auditing - A manual line-by-line security review of a product's (or component's) source code coupled with functional security testing. This is the best way to identify software vulnerabilities and prepare for a high quality release. CENSUS provides source code auditing services for software implemented in the following programming languages:
- C
- C++
- Objective C
- Java
- C#
- Rust
- Go
- PHP
- Python
- Ruby
- Perl
- Swift
- JavaScript
- x86 & ARM Assembly (32bit and 64bit)
- ASP
- VB
- Unix Shell
- Powershell
- Fortran
- Pascal
- Cobol
Device Security Testing - Comprehensive security testing for the hardware and software of electronic devices.
Application Security Testing - "Black box" security testing for any type of application, including desktop applications, mobile apps and web applications. Web Application Security Testing provides remote testing for the whole stack of deployed web applications, covering all desired functionalities and user roles. Mobile App Security Testing is a specialized service for in-depth testing of iOS & Android apps (including related web APIs and communications with other devices / software components).
Product Infrastructure Penetration Testing - Use the Network and Cloud Infrastructure Testing module of our "Organization Security Testing" services to test the security posture of the infrastructure (e.g. IaaS / PaaS / Kubernetes setup, host setup, container setup, firewall / IDS / IPS setup etc.) that supports a product release / installation.
Threat Modeling and other Security Documentation - Develop a Threat Model, to map out important threats and prioritize work on countermeasures. CENSUS can also prepare other required security documentation such as a Product Security Plan, a Security Architecture document, a Data Classification document or a Product Disposal Plan. Moreover, necessary procedures, documentation and risk assessments can be prepared to fulfill product pre-market / post-market cybersecurity requirements (e.g. medical device FDA pre-market submission requirements).
Secure SDLC - Specialized security assessment and consulting services to help businesses build and maintain a Secure Systems Development Lifecycle for products.
ORGANIZATION SECURITY TESTING
Organization Security testing is the process by which the security of an organization is systematically tested. Testing is performed with the same means that malicious actors use, under a methodology that makes the results of the tests beneficial to the under assessment organization.
The scope of the tests is not limited only to hardware and software resources, but includes all aspects of the organizational structure, such as processes and human resources.
CENSUS uses the latest attack techniques along with the results of its in-house vulnerability research to identify common and acknowledged vulnerabilities and distinguish the possibilities of zero day attacks. Our organization security testing services can be offered in various ways depending on the required depth of testing and the nature of the organization/client. The following options are available:
- Tiger Team - The ultimate security test; covers all aspects of an organization's infrastructure.
- Red Teaming - Simulates the attacks carried out by different threat agents against the organization.
- Penetration Testing - Customer-controlled security testing attacks.
- Web Application Penetration Testing - Test for vulnerabilities in custom and off-the-shelf web applications that create risks for the organization and its assets.
- Mobile Applications, Client-side Software, MDM Testing - Security testing for Mobile apps, Client-side software and MDM solutions used by the organization employees.
- Network and Cloud Infrastructure Testing - Examines the controls that protect the organization's servers and networks.
- Social Engineering - Tests the information security awareness of personnel.
- Physical Security Testing - Evaluates the reliability and integrity of Physical Security Controls.
ADVISORY SERVICES
CENSUS offers Advisory Services to help companies create, acquire, and deliver secure products and software. Our Advisory Services team can guide you through the creation of a comprehensive Application Security Program that will help you set up all necessary policies, guidelines, procedures, and standards that will enable you to produce secure applications and products. CENSUS cyber security consultants have significant experience in Security Design and Architecture and have performed numerous Threat Modeling projects. Our team can also help you fulfill product pre-market and post-market cybersecurity and compliance requirements in various sectors (e.g., medical device FDA pre-market submission requirements, NIST SSDF, and more.).
Governance
- Maturity Assessment and Roadmap
- AppSec Program Strategy – “Shift Left” Security
- Training
Design
- Secure Design
- Security Architecture
- Threat Modeling
Maturity Assessment and Roadmap - CENSUS offers a specialized Application Security Maturity Assessment service that aims to measure the maturity of an organization in terms of software assurance. Based on the OWASP SAMM model and combined with the experience and best practices from client engagements, CENSUS assessment methodology is used to assess the status of security activities in all stages of the development lifecycle. Our methodology ensures a consistent and reproducible outcome that helps you create and follow a roadmap for improving your software assurance posture with measurable results.
AppSec Program Strategy - Creating secure software is by no means a trivial task. Several methodologies have been proposed for adopting a Secure Development Lifecycle (SDLC). At the same time, modern software has evolved with technologies like containers, the Cloud and the concept of CI/CD completely changing the way that applications are now developed.
CENSUS offers consulting services that go beyond the establishment of a SDLC. Our goal is to help you adopt a “shift left” security strategy and implement security practices throughout the entire development lifecycle, rather than just in the end, by guiding you through the creation of a comprehensive Application Security Program that will help you set up all necessary policies, guidelines, and standards in order to produce secure applications. Furthermore, it provides full visibility into your application security posture and enables you to monitor the security level of your applications.
CENSUS AppSec Program Strategy advisory services can be offered to all types of companies; from boutique software houses to large organizations. CENSUS can also prepare other required security documentation such as a Product Security Plan, a Security Architecture document, a Data Classification document or a Product Disposal Plan. Moreover, necessary procedures, documentation, and risk assessments can be prepared to fulfill product pre-market / post-market cybersecurity and compliance requirements (e.g., medical device FDA pre-market submission requirements, NIST SSDF, and more.).
Training - Cyber Security Training is not just another compliance requirement, but an essential element of a cyber security program. CENSUS offers a variety of courses, delivered by expert trainers with vast field experience. Developers, architects, testers, security champions, and anyone involved in software development can benefit from our courses.
Training topics include:
- Application Security Fundamentals
- Building Secure Web Applications and Web Services
- Mobile Application Security - Attack and Defense (covering Android and iOS apps)
- Building Secure Applications in the Cloud (covering Azure. AWS, and GCP)
- Secure Development in Java
- Secure Development in C/C++
- Cyber Security Awareness Training/IT Security Hygiene
- Implementing a Secure Systems Development Lifecycle
Secure Design - Security by Design has become an essential requirement for many legal and regulatory standards. Additionally, establishing security requirements and choosing the appropriate security controls early in the development lifecycle is essential for producing secure software.
CENSUS offers consulting services to assist you throughout the entire design phase. A threat and risk assessment can be performed to identify the risk profile of your applications, identify and review security and privacy requirements, and assist you in handling software supply chain risk and relevant requirements. Our goal is to help you choose and justify the appropriate security controls for your application in order to minimize the identified risks. In addition, CENSUS offers consulting services for the security review of design documents, including the design-level review of new protocols and security controls. The work performed in this phase will stand as a rigorous test to the concepts portrayed in the project design documents and will justify countermeasures that need to be taken in order to minimize the identified risks.
Security Architecture - An essential part of the software design process is Security Architecture. CENSUS provides consulting services for both evaluating and designing the security architecture of your applications and products. The entire project security architecture plan will be reviewed to identify weaknesses and suggest improvements, by following a product agnostic methodology. Our goal is to complement your IT architecture practice with our risk management expertise in order to help you make the right choices in terms of technology.
CENSUS can also provide assistance in creating and maintaining reference architectures across your enterprise. The use of reference architectures in software development aids in streamlining the software design process and harmonizing the use of specific components, frameworks, and technologies. Having an organization-wide reference architecture is even more important for cloud-native or container-based environments that require a completely different approach to application development.
Threat Modeling - Threat modeling is an essential part of the software design process and a hard compliance requirement for many industries, such as medical device manufacturing and automotive. By following a structured approach and involving a variety of stakeholders, including architects, product managers, security champions, and even testers, Threat Modeling can help you identify and manage threats to your applications.
CENSUS can help you develop a threat model to map out important threats and prioritize work on countermeasures. Our consultants can work with your teams to establish a Threat Modeling process that fits your needs. Threat models provide a detailed understanding of an application’s architecture and environment, and help understand architectural and design flaws, as well as the controls that can best mitigate them.
VULNERABILITY RESEARCH
A vulnerability is a state in a computing system that violates that system's security model. At CENSUS we recognize that security is not a goal but a process, therefore we heavily invest in research for unknown vulnerabilities as part of our security assessment services.
Our vulnerability research services ensure that a software product, a system implementation, or a new technology that an organization is planning to invest in meets strict security requirements and does not suffer from vulnerabilities. We can provide detailed deliverables that empower the client to make informed strategic decisions towards new technologies, choose the most secure solution that meets his requirements, and preemptively reduce investment risk.
CENSUS employs a top-down approach which allows the identification of the most exposed applications and systems in a client's IT environment, followed by a thorough investigation for unknown vulnerabilities in these elements. We have extensive experience and specialised knowledge in the field of vulnerability research and we employ focused techniques such as fuzzing, reverse engineering, source code auditing (in cases where source code is available), static and dynamic analysis in order to identify vulnerabilities and clearly demonstrate their impact on a system's security model.
CENSUS also provides training in the field of vulnerability research. Our education services include the detailed analysis of vulnerability classes in software systems (both in userland and kernel space), methodologies for identifying new vulnerabilities, and the development of targeted programs for exposing the impact of vulnerabilities. We normally do not confine our training to a single operating system, giving our clients the opportunity to be educated in a variety of platforms. However, we can provide vulnerability research training on a client-chosen operating system if so required.
If you have a business interest in our vulnerability research services, please contact us so we can provide you with detailed information.