Software security

Web application and API security tests are assessed in accordance with the OWASP Application Security Verification Standard (ASVS). What distinguishes us on the market is the fact that we do not rely on automatic tools. We carry out our tests manually, using automated tools only to automate basic work.

The types of errors we detect include:

• SQLi,
• XSS,
• CSRF,
• SSRF,
• DOM-based vulnerabilities,
• CORS,
• XXE,
• HTTP Request Smuggling,
• Insecure Deserialization,
• OS Command Injection,
• Server-side template injection,
• Directory traversal,
• Access control vulnerabilities.

 Depending on your individual needs, we can offer you:

• comprehensive web apps security tests,
• comprehensive REST API security tests,
• comprehensive security tests of the additional mechanisms used withing web apps (such as WebSocket).

Mobile applications penetration tests allow us to comprehensively verify the security of mobile solutions, from compliance with good practices, to examining the security of the application interface, its interaction with the mobile operating system and interaction with the backend that supports user requests. An important element of mobile application security tests is also decompilation and reverse engineering, necessary to verify the likelihood of disclosure of sensitive technological data, as well as discovering vulnerabilities invisible from the user interface or mobile system emulator. Our work focuses both on Apple ecosystem and the Android system.

Depending on your individual needs, we can:

• examine the business logic of the application,
• verify the communication interfaces used by the application (mobile communication, Wi-Fi, Bluetooth, NFC),
• check the permissions that the application needs to run on the device (whether, for example, they are not redundant, thus exposing end users),
• control the security of protocols used to communicate with the server (technology used, transmission security, etc.),
• verify the security and authorization of transactions performed from the application level,
• verify the security of data stored on a mobile device (including cache),
• verify the security of the application screens (e.g., whether the account balance is visible after switching the application to the background),
• check the information logging by the application (e.g., whether the device logs do not contain sensitive information),
• assess the security of frameworks and external libraries used by the application,
• verify the detection of jailbreak and the behavior of the application when it is detected that this process has been carried out on the device,
• verify the correctness of communication security by the so-called certificate pinning,
• verify encoded sensitive data, e.g., private certificates, encryption keys or other sensitive information,
• investigate the possibility of circumventing the authentication and authorization processes,
• verify the access security by blocking it after several unsuccessful attempts,
• examine the security of user sessions (e.g., automatic termination on the device and server, clearing the memory of session data after its end, sending session data in GET parameters, vulnerability to session fixation attacks, method of generating tokens and others),
• verify the vulnerability to typical web attacks (e.g., XSS, injection attacks – SQL, HTML, XML, and others – OS command injection, CSRF, cookie security, HTML5 security, or cross domain policy settings),
• assess the privacy of application users (whether, for example, user data is not transferred to external servers).

We perform security tests of binary / native applications written in both byte-compiled languages (e.g., C # / Java) and machine code (e.g., C / C ++). Our portfolio includes successfully conducted penetration tests of solutions such as thick-clients, ERP (Enterprise Resource Planning) systems, accounting systems, and messaging systems (including IBM MQ / ActiveMQ). We also have extensive experience in analyzing the security of native services, which are an extension of web browser extensions (Mozilla Firefox, Google Chrome) based on native messaging, both in macOS and Windows.

Our team has experience in identifying vulnerabilities such as:

• Memory Corruption Bugs:
  • Heap related:
    • Heap-based Buffer Overflow,
    • Use-after-free,
    • Double free;
  • Stack related:
    • Stack Overflow,
    • Stack-based Buffer Overflow;
• Type Conversions vulnerabilities;
• Arithmetic issues:
  • Integer Under/Over-flow;
• Strings/metacharacters handling:
  • Format strings vulnerabilities,
  • NUL Character Injection;
• Memory leaks;
• Command Injection vulnerabilities;
• Path traversal;
• Race Conditions;
• OS specific issues:
  • Windows:
    • vulnerabilities related to symbolic links,
    • Windows registry issues,
    • privilege escalation (e.g. by abusing services),
    • Interprocess Communication issues;
  • macOS:
    • privilege escalation.

We can offer you a comprehensive security analysis of native software.

The source code review is based on a very detailed security analysis that allows you to understand the context of the implemented mechanisms and to estimate the risk. It takes into account both the probability of an attack and the business risk that comes with it. We have many years of experience in identifying vulnerabilities in the source code, both in the context of web applications (including ASP.NET, PHP, Python, Go, JavaScript) and binary applications, such as the identification of typical C / C ++ errors in the context of management on a stack (e.g., Stack-based Buffer Overflow) or on a heap (e.g., Use-after-free and Heap-based Buffer Overflow).

Depending on your individual needs, we can:

• conduct a manual analysis of the source code for typical programming vulnerabilities, as well as logical errors,
• automatically analyze the source code for security errors and evaluate the results of false positive.
• improve your software development process to minimize the number of programming errors.

As part of the Research & Development, we deal with issues related to vulnerability research – we conduct an in-depth analysis of selected solutions in search of technically advanced security vulnerabilities.

 An indispensable part of this type of work is fuzzing, i.e., all techniques consisting in providing the program with properly generated (unexpected) input data, thus causing behavior unforeseen by the developers of the solution.

 Each detected irregularity (for example detecting anomalies in API monitors or a potential memory leak through information from an appropriate tool) is thoroughly analyzed in terms of its importance for the safety of the product.

Depending on your individual needs, we can:

• carry out a reverse analysis of the binary code used as part of the solution, which will allow for an in-depth understanding of the processes and interactions which are taking place,
• conduct a comprehensive analysis of the solution in terms of any errors,
• prepare an environment for running software fuzzing,
• develop tools to make use of the detected vulnerabilities (exploit development),

As part of the Security Development Lifecycle, we support our clients in reducing costs by solving security problems as they arise. We also significantly minimize the organizational risk that may result from launching a vulnerable application in a production environment.

Our Secure SDLC activities include:

• training programmers by showing the most common mistakes and by building awareness of threats,
• attack surface analysis and threat modeling,
• code review and code static analysis,
• ongoing testing of changes made to the software – manually and with our automatic tools,
• consultations at every stage of work and implementation of recommendations.

Depending on your individual needs, we can:

• implement the Software Security Initiative,
• carry out threat modeling,
• review the architecture and design of the system,
• verify and improve DevSecOps processes.

At AFINE, we offer you our professional advice on the safe transmission and storage of information. The possible range of our cryptographic services include:

• assistance in the selection of appropriate architectural cryptographic solutions in the application,
• verification of currently implemented cryptographic solutions, e.g., identification of typical errors in block, asymmetric and stream ciphers, integrity protection (MAC), or implementation of appropriate pseudo-randomness,
• developing a secure mechanism for storing passwords in the application.

The available support concerns cryptography in the context of web and native applications as well as hardware solutions.

Depending on your individual needs, we can:

• verify the applied cryptographic mechanisms,
• prepare a recommendation of the most optimal cryptographic mechanisms for the system,
• train programmers and architects in the correct use of cryptographic mechanisms.