Strong Crypto Innovations helps organizations secure their Web applications, Web services, and other software applications. We ensure that our clients’ applications are “self-defending” for their target environments.

 

We tailor our consulting engagements according to our client’s needs, from the audit of a single application to broad support for initiating or improving a software or application security program.

Our consulting services support all business functions in software development, from Governance to Deployment. We perform activities such as creating an application security policy, defining security requirements, security testing, and hardening the deployment environment. A few of our most requested services are detailed on this page.

Software Assurance Maturity Model

Governance

 Strategy & Metrics

 Education & Guidance

 Policy & Compliance

Construction

 Security Requirements

 Threat Assessment

 Secure Architecture

Verification

 Design Review

 Security Testing

 Code Review

Deployment

 Environment Hardening

 Vulnerability Management

 Operational Enablement

Code Review - Automated Static Analysis

Code review is the process of auditing the source code of an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places.

A manual code review of a large application can be a slow and tedious process, while automation can make the code review process significantly more efficient. We recommend an approach that is semi-automated, where an automated tool is run on portions or all of the code, with manual code reviews being conducted on critical subsets of the source code. The automation is used to quickly locate portions of the code that contain known problem patterns as a jumping-off point for the reviewer’s further analysis. In this way, the reviewer is guided toward problem areas in the code, but does not rely on a tool alone to locate any additional defects.

This approach may also be necessary if the automated tool does not support a particular language, e.g. Flash (.fla), is unable to check for certain types of software weaknesses, e.g., logic flaws, is unable to examine particularly complex code, or a greater level of scrutiny is required.

This comprehensive approach utilizes automated static analysis to ensure full code coverage and manual review for intensive inspection of security critical areas of the code.

Security Testing - QA

Security testing measures the effectiveness of application security controls by highlighting risks posed by actual exploitable vulnerabilities.

It is best to begin security testing as early in the SDLC as possible, typically in QA. SCI recommends a comprehensive approach to security testing in QA including the following activities:

  • Automated scanning and manual testing of application in QA or staging environment before it is released to production.
  • Utilizing misuse or abuse cases to identify where the application may have weaknesses.
  • Testing all possible inputs to the application through attack surface analysis and bypassing client-side logic, e.g., disabling client-side JavaScript, and un-hiding hidden form fields.
  • Dynamic analysis inside Java and .NET applications, providing precise details about attack surfaces and data flow paths for vulnerabilities.
  • Correlation of dynamic analysis results with static analysis results to accelerate the remediation process.
  • Manual testing of high consequence areas of the Web application, e.g., authentication, access control, session management, business logic.

Security testing should assess the security properties and behaviors of software as it interacts with external entities (human users, environment, other software) and as its own components interact with each other.

Security Testing - Production Web

It is important to test the production Web portfolio to ensure that no new weaknesses have been uncovered and no new application functionality has been deployed without proper security testing. SCI recommends a comprehensive approach to security testing in production including the following activities:

  • Automated and repeatable scanning of the entire public Web application infrastructure of an organization from external IP address space.
  • Determining attack surface by discovering and mapping all Web resources that are reachable from the public Internet.
  • Using both public and internal sources to enumerate targets, e.g., DNS, Web application inventory, search engines.
  • Integrating commercial, open source, and custom tools to provide the best possible automated results.
  • Discovering all the common Web application security risks and weaknesses, e.g., CWE and OWASP Top 10.
  • Discovering stealth code such as injected malware, orphaned or hidden sites, and back doors.