Security cannot be programmed or tested into an application afterwards. It also cannot be set up finally from the beginning so that you no longer have to worry about it later. Instead, security concepts should be considered early in the project and continuously taken into account. Understand critical concepts of IT security and work with methods that allow you to harden your applications and protect your data. Test the security of your applications thoroughly - or let us do it for you!
Most of our trainings are available in German.Go to German site
In a threat analysis, the system is viewed from the perspective of potential attackers. This format has proven itself in many and completely different projects: From alcohol testing devices to mobile web applications, to communication protocols or access processes to private keys for software signatures, this type of structured brainstorming can be applied.
In this process, the methodological knowledge of our security experts is combined with the technical and project knowledge of the people involved in the project. The basis for the subsequent threat analysis is a common understanding of the system values to be protected ("Assets"). Here, all system values are collected and then roughly prioritized. Another important preparation is to find out which attackers can be expected to target the identified system values and what motives these attackers pursue. Depending on the complexity of the application, the motives identified through brainstorming are summarized into 5-10 main motives. For each main motive, an attack tree is now created. The main motive is the root node, and each path from the leaf to this root node ultimately represents a possible attack on one or more system values in great detail. Finally, suggestions for countermeasures are developed for the attack paths considered critical. These measures are finally prioritized in consideration of their expected security gain for the system and the estimated necessary effort.
We are happy to help you test the security of your applications. For instance, we analyze the fingerprinting of the web server or information that can be found via search engines, as well as indications of other services running on your public web servers. We check whether outdated, vulnerable, or insecurely configured services and applications are running on the servers, if old backups are present, or if there are any other, possibly undocumented admin interfaces. The authentication mechanisms of your application are tested for their strength and circumventability. We look for ways that make it possible to perform actions or read data with certain privileges, such as a clearly defined role, which should be reserved for a higher privileged role.
Our experts systematically search for places where code can be injected into the application through user input. This includes uncovering security vulnerabilities such as Cross Site Scripting (XSS), SQL Injection, XML Injection, Command Injection, or LDAP Injection. Furthermore, we use fuzzing to test whether your application behaves correctly in the event of an error and, for example, does not reveal sensitive information in error messages. Should you employ cryptographic methods, we will also scrutinize these.