Computer Security Audit and Solution Services

Code and system reviews are a key part for developing high-quality products and secure environments. Unfortunately, most organizations either do not perform reviews, or focus on basic functionality, not security. Making matters worse, most security audits focus on particular functions rather than methodologies and practices used by black-hat hackers.

Our Focus

We focus on the following types of computer components:
  • System Security. Focuses on "hardening" operating systems, operating environments, networking, and process communication.
  • Black-box Security. Without access to the source code or systems (black-box), we apply known techniques and attack methodologies for detecting potential exploits. For some systems, this can include load testing and performance benchmarking. Most risks are "proof of concept" rather than fully implemented exploits.
  • White-box Security. With access to the source code and/or systems (inside knowledge), we apply a 12-point checklist for exploitable methodologies that identifies more than 90% of potential risks.

For each of the computer components, we provide the following services:

  • Analysis. An objective search and identification of potential risks.
  • Evaluations. Documentation concerning identified risks or areas of concern, and provide potential solution options.
  • Recommendations. Due to business decisions, available resources, time, and other factors, not all risks may be "fixed." We identify the risks that should be addressed (or in what order), and suggest methods for mitigating areas of concern.
  • Solutions. We can assist in identifying optimal solutions and implementing the solutions as required.

Metrics

Each security risk and area of concern is measured based on the following metrics:
  1. Exploitation. Is the risk easy to exploit, or difficult? Does it require special knowledge, or can anyone do it? Can it be exploited every time, or do the stars need to be aligned just right? Does exploitation require specific privileges (e.g., a local login on the LAN, or a specific type of system access)?
  2. Scope. What systems are affected? Just one? All with a specific component? Every system with the software installed?
  3. Impact. What happens when it is exploited? Does it cause a denial-of-service (DoS), grant elevated privileges, or provide internal information that may be used by a different exploit (e.g., account listings, log files, or directory browsing).
  4. Future Impact. (White-box evaluations only.) Some security risks cannot be exploited with the system's current state, but may become exploitable if parts of the system change. For example, a function may contain a buffer overflow condition, but is never called with the specific exploit requirements. Later code revisions, such as adding a new calling function or removing a validation step, may permit exploitation. As an alternate example, many systems rely on firewalls rather than system hardening. Changing the firewall configuration may permit system exploitation. Although "Future Impact" areas do not currently pose an exploitable risk, they should not be ignored during future development or deployment.

Each of these risk metrics are weighted on a three point scale:

  1. Low. Low risk or minimal impact, unlikely even with knowledge of the exploit.
  2. Medium. Serious risk with inside knowledge, but unlikely from an outsider.
  3. High. Easy to exploit, serious damage, no internal knowledge required, etc.

Our Guarantee

Unfortunately, nobody can guarantee to identify all risks or implement a "100% secure" solution. We can only make the following guarantees:
  1. We will try our best. With more than 15 years in the security field, evaluating systems and software, and developing secure solutions for Fortune-100 companies, we believe we will be effective in determining risks and identifying areas of concern.
  2. We will not evaluate third-party applications. In particular, we will not evaluate your competitor's system for you, nor your system for your competitor.
  3. We will not disclose any risks identified for you to any third-party. This includes the media, your customers, and your competition. Once we identify a potential risk for you, it is yours to keep.
  4. Unless you request a working exploit, we will not develop fully-functional automated exploits for your system. Even with the most paranoid companies, fully-functional automated exploits have a nasty habit of being leaked to the public. For your protection, we will not create fully-functional automated exploits without your permission. (It's hard to leak a program when it doesn't exist.)