Security testing is the process by which the security of an
organisation is systematically tested. Testing is performed with the
same means that malicious users use, under a methodology that makes the
results of the tests beneficial to the under assessment organisation.
The scope of the tests is not limited only to hardware and software resources, but includes all
aspects of the organisational structure, such as processes and human resources.
CENSUS uses the latest attack techniques along with the results of its in-house vulnerability research to identify common and acknowledged vulnerabilities and distinguish the
possibilities of zero day attacks. Our security testing services can be offered in various ways
depending on the required depth of testing and the nature of the organisation/client. The following options are available:
- Tiger Team - The ultimate security test; covers all aspects of an organisation's infrastructure.
- Penetration Testing - Customer-controlled security testing attacks.
- Web Application Testing - Security testing for custom and off-the-shelf web applications.
- Network Infrastructure Testing - Checks the security parameters of network components such as switches, routers, IPS, IDS, firewalls etc.
- Social Engineering - Tests the information security awareness of personnel.
The resulting information from our security testing sessions is provided in strong
classification with regards to the threats and the risks associated with the identified
and exploited vulnerabilities.
MOBILE APP TESTING
Mobile App Testing is a security assessment process that is specially designed to identify issues in mobile applications. Testing involves an in-depth examination of the app itself, its packaging format and the web (or other) services the app communicates with. Apps may be delivered for testing either in binary or source code format.
Mobile App Testing applies to apps of all major platforms, including:
- Windows Phone
- Blackberry OS
CENSUS is a leader in Mobile App Testing services, with a track record that includes financial institutions,
international software vendors and Fortune 500 companies. Its assessments go well beyond the identification
of common vulnerabilities, discovering crucial business logic errors and issues arising from an app's use
on specific platforms or in combination with specific 3rd party technologies (e.g. MDM solutions,
binary protection solutions).
Through its field experience and continuing research in mobile device / platform / framework security, CENSUS has gained unique insights which have helped customers resolve complex issues and minimize their exposure to future risks.
A vulnerability is a state in a computing system that violates that system's security model. At CENSUS we recognise that security is not a goal but a process, therefore we heavily invest in research for unknown vulnerabilities as part of our security assessment services.
Our vulnerability research services ensure that a software product, a system implementation, or a new technology that an organisation is planning to invest in meets strict security requirements and does not suffer from vulnerabilities. We can provide detailed deliverables that empower the client to make informed strategic decisions towards new technologies, choose the most secure solution that meets his requirements, and preemptively reduce investment risk.
CENSUS employs a top-down approach which allows the identification of the most exposed applications and systems in a client's IT environment, followed by a thorough investigation for unknown vulnerabilities in these elements. We have extensive experience and specialised knowledge in the field of vulnerability research and we employ focused techniques such as fuzzing, reverse engineering, source code auditing (in cases where source code is available), static and dynamic analysis in order to identify vulnerabilities and clearly demonstrate their impact on a system's security model.
CENSUS also provides training in the field of vulnerability research. Our education services include the detailed analysis of vulnerability classes in software systems (both in userland and kernel space), methodologies for identifying new vulnerabilities, and the development of targeted programs for exposing the impact of vulnerabilities. We normally do not confine our training to a single operating system, giving our clients the opportunity to be educated in a variety of platforms. However, we can provide vulnerability research training on a client-chosen operating system if so required.
If you have a business interest in our vulnerability research services, please contact us so we can provide you with detailed information.
SOURCE CODE AUDITING
If your company is developing software, or purchasing custom software, then you must always be vigilant about vulnerabilities that can undermine the security of the end product and of the underlying operating system. CENSUS has extensive experience in auditing source code both for insufficient input validation vulnerabilities (like buffer overflows, XSS, SQL injections) and logic flaws (such as race conditions, concurrency violations).
Unlike traditional code auditing approaches, we do not rely on automated mechanisms to identify vulnerabilities. Instead, we follow a top-down approach which allows us to gain an understanding of the investigated system and provide a detailed source code vulnerability report to our clients.
CENSUS provides source code auditing services for software implemented in the following programming languages:
- Objective C
- x86 & ARM Assembly (32bit and 64bit)
- Unix Shell
CENSUS also provides software security testing services to companies that require an independent entity to assess the security of custom software they purchase from third parties.
Detailed information (utilised methodologies and approaches, sample reports) for our source code auditing services are available upon expression of business interest.
A Systems Development Lifecycle (SDLC) represents a series of steps taken during the development of a product. Although SDLC strategies may vary from organization to organization their ultimate goal is the efficient production of high quality products. A Secure SDLC is a development lifecycle that has been augmented by a special set of processes, whose goal is the development of products meeting high security standards. Secure SDLC methodologies allow for the early mitigation of security risks, by identifying and fixing security vulnerabilities during the early stages of product development. They also introduce best-of-breed proactive defenses in the design and implementation of the product, thus minimizing the released product's exposure to future threats.
CENSUS provides specialized security assessment and consulting services to help businesses build and maintain a Secure Systems Development Lifecycle. These services range from consulting and training on Secure SDLC procedures, to security audits on the deliverables of each SDLC phase.
CENSUS offers Security Training courses to improve the security awareness of personnel and allow
developers / management to identify and mitigate security issues early on in the software development lifecycle.
Training courses are delivered by security experts and are based on material coming
from best practices, international standards and field experience.
The courses currently offered are:
- Security Awareness Training
- Introduction to Software Security
- Web Application Vulnerabilities
- Mobile App Vulnerabilities (covering Android and iOS apps)
- Implementing a Secure Systems Development Lifecycle
- Secure Development in Java
- Secure Development in C/C++
CENSUS also delivers custom training sessions on topics selected by customers.
To find out more about our Security Training programmes, contact us today!
CENSUS offers Security Consulting services to companies and organizations worldwide. Past projects include:
- design-phase reviews of new protocols
- software architecture reviews
- network architecture security reviews
- device architecture security reviews
- threat modeling for software / hardware components and products
- medical device cybersecurity risk assessment for FDA pre-market submissions
- the assessment of binary protection solutions for desktop and mobile applications
- the assessment of MDM solutions
- the assessment of DRM technologies
- the development of security policies
Contact us to find out more on how your business can benefit from our Security Consulting services.