Security Objectives Services: Application Assessment & Penetration Services

Methodology

Static Analysis

Using an interactive disassembler and custom framework we review the compiled binaries and discover vulnerabilities such as buffer overflows, integer overflows, format bugs, access control issues and so on. A part of this phase is automated to discover common problems but much of it is performed manually by highly skilled reverse engineers.

Dynamic Analysis

Using data flow analysis (the movement of data through a running application) and control flow analysis (code paths traveled during operation) we gain invaluable knowledge of how an application operates. Fault injection is also applied to test target code paths for potential weaknesses (e.g. software bugs).

Phases of Assessment

Scope

Planning is done with the customer to determine what goals must be achieved during the audit. Product components and objectives are identified any must and should items are highlighted to produce a statement of work (SoW) with its associated deliverables.

Pre-assessment

We review documentation or errata available about our target product. This includes manuals, developer kits, sample applications, consumer reports, bulletin boards, and blogs.

Drive and Document:

The product is used as it is normally intended, offer the auditor the basic feel for functionality. The auditor will attempt to use each available feature of the product, becoming familiar with it in its entirety.

Review target application class risks:

Each application is prone to its own set of niche weaknesses. During this phase these weaknesses are researched and documented.

Review weaknesses in chosen languages:

Our auditors are familiar with every major programming language so this phase is usually just a brief refresher and tool update. If the language is obscure or internal then we must research it and prepare our tools to isolate weaknesses introduced by the target programming language.

Review target's risk history:

The risk history encompasses any public or sometimes privately discovered bugs and/or vulnerabilities in the target software. These previous risks are reviewed as an aid to further prepare the auditor