Software security

Services

In the age of electronic communications, cyberthreats have become alarmingly common. In view of the resulting challenges, developing software in a manner consistent with best practices and key security assumptions has become not only desirable but also indispensable. With the increase of the number of new features, seen in the processes of project development (especially in agile methodologies), developers often lose sight of security best practices.

By improving software security, you can help prevent malicious attacks. Their goal is often to breach the software layer and use hidden access points leading to sensitive places and resources. Getting an advantage over attackers and anticipating them gives freedom in defensive actions and the necessary conditions for further, uninterrupted development. 

At AFINE, we support the most important software producers in their fight against cybercrime. 

As part of software security services, we offer penetration testing of web and native applications, API, and mobile applications. Security tests are performed both in the black-box methodology, without knowing the details of the solution (in native / binary applications based on techniques related to reverse engineering), and in the white-box methodology, including a thorough source code audit. We also offer you our advanced cryptographic solutions: their secure implementation in applications, as well as the vulnerability identification.

  • Web Application & API

    Web application and API security tests are assessed in accordance with the OWASP Application Security Verification Standard (ASVS). What distinguishes us on the market is the fact that we do not rely on automatic tools. We carry out our tests manually, using automated tools only to automate basic work.

    The types of errors we detect include:

    • SQLi,
    • XSS,
    • CSRF,
    • SSRF,
    • DOM-based vulnerabilities,
    • CORS,
    • XXE,
    • HTTP Request Smuggling,
    • Insecure Deserialization,
    • OS Command Injection,
    • Server-side template injection,
    • Directory traversal,
    • Access control vulnerabilities.

     Depending on your individual needs, we can offer you:

    • comprehensive web apps security tests,
    • comprehensive REST API security tests,
    • comprehensive security tests of the additional mechanisms used withing web apps (such as WebSocket).
  • Mobile apps

    Mobile applications penetration tests allow us to comprehensively verify the security of mobile solutions, from compliance with good practices, to examining the security of the application interface, its interaction with the mobile operating system and interaction with the backend that supports user requests. An important element of mobile application security tests is also decompilation and reverse engineering, necessary to verify the likelihood of disclosure of sensitive technological data, as well as discovering vulnerabilities invisible from the user interface or mobile system emulator. Our work focuses both on Apple ecosystem and the Android system.

    Depending on your individual needs, we can:

    • examine the business logic of the application,
    • verify the communication interfaces used by the application (mobile communication, Wi-Fi, Bluetooth, NFC),
    • check the permissions that the application needs to run on the device (whether, for example, they are not redundant, thus exposing end users),
    • control the security of protocols used to communicate with the server (technology used, transmission security, etc.),
    • verify the security and authorization of transactions performed from the application level,
    • verify the security of data stored on a mobile device (including cache),
    • verify the security of the application screens (e.g., whether the account balance is visible after switching the application to the background),
    • check the information logging by the application (e.g., whether the device logs do not contain sensitive information),
    • assess the security of frameworks and external libraries used by the application,
    • verify the detection of jailbreak and the behavior of the application when it is detected that this process has been carried out on the device,
    • verify the correctness of communication security by the so-called certificate pinning,
    • verify encoded sensitive data, e.g., private certificates, encryption keys or other sensitive information,
    • investigate the possibility of circumventing the authentication and authorization processes,
    • verify the access security by blocking it after several unsuccessful attempts,
    • examine the security of user sessions (e.g., automatic termination on the device and server, clearing the memory of session data after its end, sending session data in GET parameters, vulnerability to session fixation attacks, method of generating tokens and others),
    • verify the vulnerability to typical web attacks (e.g., XSS, injection attacks – SQL, HTML, XML, and others – OS command injection, CSRF, cookie security, HTML5 security, or cross domain policy settings),
    • assess the privacy of application users (whether, for example, user data is not transferred to external servers).
  • Native applications

    We perform security tests of binary / native applications written in both byte-compiled languages (e.g., C # / Java) and machine code (e.g., C / C ++). Our portfolio includes successfully conducted penetration tests of solutions such as thick-clients, ERP (Enterprise Resource Planning) systems, accounting systems, and messaging systems (including IBM MQ / ActiveMQ). We also have extensive experience in analyzing the security of native services, which are an extension of web browser extensions (Mozilla Firefox, Google Chrome) based on native messaging, both in macOS and Windows.

    Our team has experience in identifying vulnerabilities such as:

    • Memory Corruption Bugs:
      • Heap related:
        • Heap-based Buffer Overflow,
        • Use-after-free,
        • Double free;
      • Stack related:
        • Stack Overflow,
        • Stack-based Buffer Overflow;
    • Type Conversions vulnerabilities;
    • Arithmetic issues:
      • Integer Under/Over-flow;
    • Strings/metacharacters handling:
      • Format strings vulnerabilities,
      • NUL Character Injection;
    • Memory leaks;
    • Command Injection vulnerabilities;
    • Path traversal;
    • Race Conditions;
    • OS specific issues:
      • Windows:
        • vulnerabilities related to symbolic links,
        • Windows registry issues,
        • privilege escalation (e.g. by abusing services),
        • Interprocess Communication issues;
      • macOS:
        • privilege escalation.

    We can offer you a comprehensive security analysis of native software.

  • Code Review

    The source code review is based on a very detailed security analysis that allows you to understand the context of the implemented mechanisms and to estimate the risk. It takes into account both the probability of an attack and the business risk that comes with it. We have many years of experience in identifying vulnerabilities in the source code, both in the context of web applications (including ASP.NET, PHP, Python, Go, JavaScript) and binary applications, such as the identification of typical C / C ++ errors in the context of management on a stack (e.g., Stack-based Buffer Overflow) or on a heap (e.g., Use-after-free and Heap-based Buffer Overflow).

    Depending on your individual needs, we can:

    • conduct a manual analysis of the source code for typical programming vulnerabilities, as well as logical errors,
    • automatically analyze the source code for security errors and evaluate the results of false positive.
    • improve your software development process to minimize the number of programming errors.
  • Research & Development

    As part of the Research & Development, we deal with issues related to vulnerability research – we conduct an in-depth analysis of selected solutions in search of technically advanced security vulnerabilities.

     An indispensable part of this type of work is fuzzing, i.e., all techniques consisting in providing the program with properly generated (unexpected) input data, thus causing behavior unforeseen by the developers of the solution.

     Each detected irregularity (for example detecting anomalies in API monitors or a potential memory leak through information from an appropriate tool) is thoroughly analyzed in terms of its importance for the safety of the product.

    Depending on your individual needs, we can:

    • carry out a reverse analysis of the binary code used as part of the solution, which will allow for an in-depth understanding of the processes and interactions which are taking place,
    • conduct a comprehensive analysis of the solution in terms of any errors,
    • prepare an environment for running software fuzzing,
    • develop tools to make use of the detected vulnerabilities (exploit development),
  • Security Development Lifecycle

    As part of the Security Development Lifecycle, we support our clients in reducing costs by solving security problems as they arise. We also significantly minimize the organizational risk that may result from launching a vulnerable application in a production environment.

    Our Secure SDLC activities include:

    • training programmers by showing the most common mistakes and by building awareness of threats,
    • attack surface analysis and threat modeling,
    • code review and code static analysis,
    • ongoing testing of changes made to the software – manually and with our automatic tools,
    • consultations at every stage of work and implementation of recommendations.

    Depending on your individual needs, we can:

    • implement the Software Security Initiative,
    • carry out threat modeling,
    • review the architecture and design of the system,
    • verify and improve DevSecOps processes.
  • Cryptography

    At AFINE, we offer you our professional advice on the safe transmission and storage of information. The possible range of our cryptographic services include:

    • assistance in the selection of appropriate architectural cryptographic solutions in the application,
    • verification of currently implemented cryptographic solutions, e.g., identification of typical errors in block, asymmetric and stream ciphers, integrity protection (MAC), or implementation of appropriate pseudo-randomness,
    • developing a secure mechanism for storing passwords in the application.

    The available support concerns cryptography in the context of web and native applications as well as hardware solutions.

    Depending on your individual needs, we can:

    • verify the applied cryptographic mechanisms,
    • prepare a recommendation of the most optimal cryptographic mechanisms for the system,
    • train programmers and architects in the correct use of cryptographic mechanisms.

Other

services

Is your company secure online?

Join our list of satisfied customers and safeguard your company’s data!

Trust us and leave your contact details. Our team will contact you to discuss the details and prepare a tailor-made offer for you. Full discretion and confidentiality of your data are guaranteed.