What is security testing / penetration testing?

Security / penetration tests uncover security vulnerabilities and provide possible solutions to improve the security posture of a company or application.

CODE Security offers three types of penetration tests:

  • Black-box testing: Refers to testing a system without specific knowledge of the internal workings or architecture of the system and without access to the system’s source code.
  • White-box testing: Also known as clear-box testing, refers to testing a system with complete knowledge of the system including access to the source code and all architecture documents. This full access approach can reveal bugs and vulnerabilities faster than the trial-and-error approach of black-box testing and is therefore the approach CODE Security recommends.
  • Grey-box testing: Refers to testing a system with some information about the system. The information is usually limited to architectural diagrams and design documents. It is a combination of black and white box testing.

CODE Security recommends the white-box testing approach because it leads to a higher vulnerability detection rate and offers more comprehensive testing coverage for our clients.

CODE Security offers these three types of security tests for many applications and services. The following sections detail some of the most commonly performed tests and security services we offer.

Simulate what happens in a real-world attack with penetration testing

A penetration test simulates a real-world attack scenario. This type of testing can help to uncover vulnerabilities and weaknesses within a system, an application, or an infrastructure in order to expose any serious security issues before a real-world attacker does. CODE Security offers penetration tests for modern applications of any kind, including web applications or mobile apps running on iOS or Android. We assist our clients with the initial scoping, including threat modelling and the identification of the potential attack surface, the definition of a suitable test depth and most likely attack vectors, as well as providing guidance on choosing the testing approach best for them: white-, gray- or black-box.

CODE Security uses a combination of manual testing and code reviews, as well as industry standard testing tools, to provide our clients with the highest testing coverage possible. At the conclusion of every penetration test, our CODE Security experts author provides our clients with a technical report that includes all identified vulnerabilities along with a severity rating according to industry standards. And if you need help increasing the security of your applications, we have custom software developers to help you.

Let CODE Security test your web applications and REST APIs

CODE Security uses a web application / REST API penetration test to uncover vulnerabilities that might be exploited by a remote attacker (authenticated and unauthenticated).

The current OWASP Top 10 Web application (2017)) security risks as well as the OWASP API Top 10 (2019) security risks and (https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top-10.htm) form the backbone of the web application and REST API interface security assessment services we provide for our clients.

  1. Injection
  2. Authentication errors
  3. Loss of confidentiality of sensitive data
  4. XML external entities (XXE)
  5. Access control errors
  6. Security-related misconfiguration
  7. Cross-site scripting (XSS)
  8. Insecure deserialization
  9. Use of components with known vulnerabilities
  10. Inadequate logging and monitoring

To further increase effectiveness, CODE Security recommends a combination of classic web application testing with a source code review of the web application and analysis of how your sites use REST APIs.

How safe are your mobile applications?

CODE Security uses mobile application penetration tests to uncover vulnerabilities within the mobile applications that might be exploited by a remote or local attacker in the form of a malicious application running on the same device as the application to be reviewed.

CODE Security offers security tests and reviews of iOS and Android applications, including classical mobile apps, MDM solutions, low-level operating system specifics and kernels. The OWASP Mobile Top 10 security risks provide the backbone of the mobile applications security assessment services we provide for our clients. This includes, but is not limited to, covering the following areas:

  1. Improper platform use
  2. Insecure data storage on the mobile device
  3. Inadequate protection of the transport layer
  4. Insecure / weak authentication methods
  5. Sources of error in cryptography
  6. Insecure / weak authorization methods
  7. Identification of vulnerabilities in the source code of the mobile application
  8. Manipulation of code or application data
  9. Reverse engineering
  10. Identification of potentially security-endangering, hidden functions (e.g., hidden backdoor)

Similar to web application penetration tests, to further increase the effectiveness, CODE Security encourages combining dynamic testing with a static source code review in order to achieve the most comprehensive coverage.

Let’s get into code audits

The primary objective when performing a code audit is to identify security vulnerabilities within the design or in the application source code of your product. Remember those tradeoffs years ago of writing secure code vs writing applications quickly? Surprise, this is where choices someone made then might have consequences now. CODE Security recommends doing code audits with the earlier penetration tests because it allows the testers to achieve the highest coverage and identify hard-to-spot weaknesses by combining the dynamic and static testing approaches.

CODE Security’s team of senior consultants are fluent in a wide range of programming languages and are capable of performing code audits against code bases written in many programming languages. Reach out to us today about having CODE Security perform a code audit on your code.

CODE Security conducts programming language audits in several steps. First, we conduct an initial scoping and work with the development team, which allows our expert consultants to get an overview of the application’s design and architecture along with its code structure. This input is essential for the creation of a threat model, better tailoring the actual code review towards our clients’ need and the definition of a baseline of what potential threats the application’s threat model includes. Following that, expert CODE Security consultants conduct the actual code audit using manual and automated methods. The primary focus of our audit relies on manual code analysis taking full advantage of the expertise and experience of our expert CODE Security consultants. Ideally CODE Security conducts our audits in close collaboration with CODE’s software development team and we communicate our findings as they arise directly to the developers. This approach helps reduce or eliminate false-positives and better target the testing of important and interesting areas to incorporate feedback from the development team into the review process.

At the conclusion of your audit, our CODE Security experts provide a technical report including all identified vulnerabilities along with a severity rating according to industry standards. And if you need help increasing the security of your applications by helping you modify its source code, we have custom software developers to help you.

AppSec

AppSec refers to applications of any kind. CODE Security performs security reviews of modern software products including user applications or operating system kernels and hypervisors, in order to discover vulnerabilities and protect your system before attackers exploit those vulnerabilities in the real world. We conduct the review of an application in close collaboration with the development team, to ensure information and identified issues are quickly exchanged between our expert security consultants and the development team.

At the conclusion of your AppSec review, our CODE Security experts provide a technical report including all identified vulnerabilities along with a severity rating according to industry standards.

IoT / hardware security

Today’s hyperconnected world faces a completely new threat landscape, as any internet-connected device is potentially vulnerable and subject to attacks and malicious activity.

CODE Security provides security review services for IoT devices and the firmware running on IoT devices to identify vulnerabilities by reviewing the hardware and the software stack. When a source code inspection is not possible, we use reverse engineering techniques to determine what the IoT device does and which attack vectors exist as well as the analysis of hardware debug interfaces. CODE Security’s expert consultants are skilled at performing hardware security reviews of various devices to identify any potential vulnerabilities within attack vectors that may exist for local attackers that open and tamper with hardware devices.

At the conclusion of your IoT review, our CODE Security experts provide a technical report including all identified vulnerabilities along with a severity rating according to industry standards.

CODE's reverse engineering helps you stay ahead

CODE Security uses reverse engineering techniques to uncover a piece of software or hardware from it’s executable(s) form in order to understand it’s inner workings, and potentially it’s source code. The typical scenario for this is when the source code is no longer available or when assessing a closed-source project in compiled form. Reverse engineering helps to assess the quality of software or hardware within black-box engagements, which helps determine how easily an attacker identifies vulnerabilities without prior knowledge of the product or access to the product source code.

At CODE Security our expert consultants are skilled at reverse engineering modern applications compiled for a number of architectures including x86, arm, arm64 and MIPS. The combination of static reverse engineering and additional techniques such as dynamic binary instrumentation make it possible to reveal vulnerabilities and explore the code areas handling the security of your application.

And as we’ve noted above, at the conclusion of your reverse engineering service, our CODE Security experts author a technical report explaining the identified vulnerabilities along with a severity rating according to industry standards.