Software Security & Pentesting

Code & System Optimization

Code Security Training Overview

SOFTWARE SECURITY & APP SECURITY ASSESSMENTS

The first step in your AppSec journey is to get an SSMA to see where you stand relative to your peers. From there VDA will ensure you invest in the right next priorities.

APPSEC-AS-A-SERVICE (AAAS)

At VDA we’re comfortable working all across the Secure Development Lifecycle: training, design, architectural review, tooling, CI/CD, DevSecOps, analysis, pentesting, code audit, and release concerns.

ADVANCED FUZZING SERVICES

Uncovering these deep security issues is more critical than ever, and VDA can help bring fuzz testing into your software security program to help discover issues and more.

CLOUD SECURITY

Nearly every business has products and services in the cloud. Worldwide access affects security. VDA will help ensure the change is positive.

Simple Static Malware Analyzer (SSMA)

VDA Labs uses a framework of cross-disciplinary methods to combine its cyber services with infrastructure security and hardware risk assessments, including Simple Static Malware Analysis, or SSMA.

Using this foundational knowledge, we use our extensive expertise to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing their company, organization, or personal image.

The standard scope of Simple Static Malware Analyzer (SSMA) as it relates to our security consulting services will aim to do the following:

  • Evaluate an organization’s existing
    software security practices
  • Build a balanced software security program in well-defined development phases and sequential iterations
  • Demonstrate concrete improvements
    to sensitive data storage systems and/or information security assurance programs
  • Define and measure risk-related activities that catalyze code vulnerability within an organizational network

SSMA was created with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

Interested in SOFTWARE SECURITY?

quotation mark

The team at VDA Labs has been a delight to work with! The SSMA process was important for our team since it provided us with an unbiased, expert view of our existing maturity level for information security. More than simply providing a measurement, the team at VDA provided us with a fundamental understanding of the OWASP model and how to improve upon our maturity baseline in the best possible way forward. Armed with the SSMA data and the expert guidance of the VDA team, we were able to develop and execute a well-organized, measurable plan of maturing our AppSec processes.

— Ron L Beckett, CSM

Senior Manager Software Development Dematic North America

Software Security

The world now runs on code.

To keep moving without risk, it's not enough to hope that your software security is solid. It's essential to know that it's unbreakable.

Technical debt creeps into projects in many ways, and sometimes security is just an afterthought in an industry that moves fast. The trouble is when that comes back to bite you – the impact could be huge.

VDA Labs is a trusted partner, and we’re comfortable working all across the Secure Development Lifecycle: training, architectural and API review, expert security testing, triaging, and more. As more and more companies are moving to a CI/CD model, let us help you choose, integrate, and managing the right security testing tools and processes.

DESIGN REVIEW

Good security starts with a good design. Glazing security on afterwards is a mistake from the 90’s. VDA will review your product architecture and specifications to make sure the project is moving in the right direction.

Corrections here will save significant cost, compared to later findings.

CODE and COMPONENT ANALYSIS

Software is assembled as much as written these days. Are the components safe? Correct licensees, and up-to-date? We’ll check. VDA will also check the security of the code. We use a combination of open source and commercial tools to scan for bugs. We then dig deeper using manual code audits to find those subtle bugs automation will never find. VDA will also help you tune against FPs (false postivies) if you signup for our AaaS

CONTINUOUS HACKING

For runtime/DAST (Dynamic Application Security Testing) on natively compiled code (C/C++) we’ll do fuzzing. We literally wrote the book on fuzzing. For web applications and mobile we use other scanning tools, including a new REST API scanner we’re partnering with Microsoft on. For any code type – again a combination of manual and automated pentesting with tools like Burp used by experts – is required to drill past what automated tools can find. In short, we’ll find those hard to reach bugs.

Interested in SOFTWARE SECURITY?

quotation mark

VDA Labs did a fantastic job of auditing our code. They found bugs that had somehow been missed in our extensive testing processes. Thanks!

— CISO, Lyra Health
Poornaprajna Udupi

Advanced Fuzzing Services

Detect areas of risk and breach vulnerability in your application software or network code infrastructure with help provided by the max-efficiency "fuzzing" force at VDA Labs

Fuzzing is an advanced form of DAST (Dynamic Application Security Testing) that is used by many of the worlds leading software development organizations to discover issues in their code. Fuzz testing finds errors in software in a way that human driven testing simply can’t – by testing millions or more variations of different input that can be given to a piece of code to detect crashes, bugs, and security vulnerabilities.
Uncovering these deep security issues is more critical than ever, and VDA can help bring fuzz testing into your software security program to help discover issues and more. The team at VDA has a rich background working with fuzzing – in fact our founder, Dr. Jared DeMott, wrote his PHD thesis on “Enhancing Automated Fault Discovery and Analysis” and has since co-authored a book on the topic, “Fuzzing for Software Security Testing and Quality Assurance“. We also regularly teach fuzzing techniques as a part of our Application Security for Hackers and Developers course – a world class training course offered at Black Hat and other information security conferences.

ADVANCED FUZZING EXPLAINED

Fuzz testing began with a simple set of options – mutation (changing an existing input) vs. generation (creating new inputs from scratch). Now, however, there are many more options – protocol fuzzers can target network services, smart fuzz testers know something about the format they are fuzzing to be more targeted, and the best fuzzers use some degree of instrumentation to guide their progress of testing in order to exercise all branches of code (known as code coverage). Even more importantly – you have to go big. The best fuzzing systems today utilize parallel scaling to cover more test cases in a shorter period of time. This adds more complexity in terms of reporting crashes and triage, but gains much better coverage via the capability of running millions of test cases in a short period of time.

The VDA team of experts has deep knowledge of modern fuzzing practices. This means knowing what type of fuzzer can be used where, having the ability to create custom fuzzers for new protocols, or instrumenting binaries to assess vulnerabilities with LibFuzzer or AFL.

Below are some examples from our blog showing this:

  • Using Mayhem and MSRD to find 0day
  • Creating a test harnesses
  • Creating a BACnet fuzzer with BooFuzz

WHAT SORTS OF ISSUES CAN FUZZ TESTING FIND?

Software bugs can lay latent in code for years or even decades without detection – one example of this was the ShellShock vulnerability – which existed in the BASH shell for 25 years! That said, the goal of fuzzing is to exercise code in a way that discovers latent issues in a much shorter timeframe. While not every bug identified by fuzzing is necessarily a security nightmare, any developer worth their salt will also be interested in some of the other issues commonly found through fuzzing.

The overall picture includes:

  • Crashes
  • Security Exposures / Vulnerabilities
  • Denial of Service Conditions (DoS)
  • Performance Degradations
  • Anomalous Behavior

Interested in ADVANCED APP SEC THROUGH FUZZING?

logos

VDA Labs is honored to share our fuzzing expertise via partnership with ForAllSecure and Microsoft. We help customers deploy, harness, and utilize advanced tools like Mayham and MSRD. Also as part of our AppSec-as-a-Service practice, we help customers intigrate DAST tools like fuzzers into CI/CD.

Cloud Security

PENETRATION TESTING (PENTEST COMPLIANCE)

Hardening the servers and applications that live in the cloud is now just the beginning. Penetration testing is the risk assessment methodology currently recommended for optimizing security of a given system, and it is used by the industry's most innovative, cutting-edge corporations and entities.

The wealth of data available is undoubtable — but it is breachpoints in accessibility that attackers will be after.

To stay secure on all platforms and to embed safe protocol measures across all systems, VDA's Pen Test Task Force can perform:

  • External and internal blackbox cloud pentests

This is where attackers start. VDA’s advanced threat assessment group will simulate attacker group offenses will find application flaws, data leaks, and more… before adversaries do.

  • Cloud Audit (AWS, Azure, GCP)

This is where the real work begins. VDA will use cloud scanning tools, and manually dig through your setup to ensure the security of:

  1. IAM
  2. Overprivileged accounts are a common and serious mistake
  3. Misconfigured buckets and data privacy
  4. Cloud WAF settings
  5. Much more
  6. Cloud Product Configuration

There are also many products availble to help enterprises secure the cloud services their company employs. VDA has deep experience architecting, configured, and monitoring these products.

INTERESTED IN CLOUD SECURITY SERVICES?

Contact Us Today!

 

CYBER SECURITY STARTS WITH VDA LABS