System Analysis and Audits

Attack Models

Have you ever found yourself wondering about all these different accounts, permission levels and certificates being introduced by and/or into a product? Software architects and developers build integrate those to increase security and spend valuable development time on the topic. But the security consulting company you work with declares the same product an apocalypse and recommends rewriting everything? This is a typical example of missing attack modeling.

Recurity Labs' attack modeling approach takes the entire system into account. To understand the security threats, a system or product needs to be put into the grand perspective of its application scenarios. Often, the features of a product pose more dangerous threats to the security in an application scenario than arbitrary security vulnerabilities would. In some cases, specific vulnerability classes (such as Cross-Site Scripting) are highly critical, while being almost irrelevant in another scenario with the same product.

A system threat analysis considers non-technical attack vectors as well as mitigating factors. In many cases, successful attacks from related entities, such as business partners or third parties, are technically much more likely than from unrelated attackers in the wild. Such attack vectors need to be considered and can often be easily mitigated by non-technical means. Investigating and analyzing possible attacks and mitigations, and thoroughly documenting those, significantly reduces development and testing costs while greatly improving the effectiveness of the security at all stages of a product's lifecycle.

Audits

Before implementing new software or appliance products in a productive environment, or rolling-out an installation to all branch offices, a product audit allows to verify the intended design and implementation security of a (third party) product. With the help of a previously created attack model, Recurity Labs thoroughly investigates the product in the scenario of its intended application. The goal of the audit is to verify the flawless behavior of the product under hostile conditions.

Penetration Test

Penetration tests are structured attacks on IT systems or applications to identify existing vulnerabilities using the very tools and techniques a real attacker utilizes. When executing a penetration test, Recurity Labs uses a combination of manual testing and (custom) security tools to identify weaknesses. While a real attacker only needs to find and exploit one single vulnerability, a penetration test aims to uncover a broader set of common attack vectors.

Network Assessments

Recurity Labs offers network assessment services to customers requiring a high accuracy and professionalism for the task. We understand network assessments as stocktaking of the currently running network infrastructure, providing measurements on a higher level than vulnerability assessments, while providing dependable guidelines for the future development of the infrastructure, based on solid data.