	
	
		Requirements
		Design
		Implementation
		Verification
		Release
	

	
		Training
		Consulting
		Products	
		

Secure Verification Solutions

The objective of application verification is to obtain a clear definition of where vulnerabilities reside and the magnitude of the exposure. Software can meet every requirement and perform every specified action flawlessly yet still be exploited by an attacker. In order to locate and prevent security bugs, developers and testers have to think differently.

Our security verification tools and practice uncover security vulnerabilities that are the result of unintended application behavior. This knowledge may be used to guide development teams in more robust development practices, or to guide the vendor selection process for subsequent application or maintenance purchases. Our solutions entail:

Holodeck fuzz testing tool
software security testing
dynamic analysis/run-time verification
computer-based and instructor-led training

Holodeck Test Tool - Dynamic/Fuzz Testing
Holodeck is a unique fuzz testing tool that discovers how an application consumes, handles and responds to malformed data. Poorly-coded applications will try to process the data without checking to see if it’s correct and complete. If the application “falls over” when it gets fuzzed data, then a flaw has been discovered and may have security implications.

The Microsoft SDL fuzzing requirement states that an application with file handling code needs to consume 100,000 fuzzed files. This level of fuzz testing gives additional confidence that your application can handle maliciously corrupted files without failing due to buffer overflows or other potential security vulnerabilities. While it is possible to create 100,000 randomly corrupted files and get some level of fuzz coverage for your application, Holodeck can help you go much further. Holodeck can be pointed at any file your application consumes, and will corrupt it with random data or with data based on very specific rules that you define.

Since Holodeck virtualizes the file stream, you can test with confidence knowing that the original file is untouched - and that the corruption is happening in real time on the file stream as your application consumes it. This level of direct and advanced fuzzing is unmatched in the industry. And when you are ready to advance your testing efforts beyond file fuzzing, you can leverage Holodeck to corrupt network streams as well as any data streams that your application exposes or consumes over public APIs.

Penetration Testing
Penetration testing exploits vulnerabilities in the application that can be used to gain unauthorized access to the application, the data it processes or the underlying operating system on which each is hosted. Leveraging security testing techniques derived from our top-selling book How to Break Software Security, our security engineers will employ proprietary manual attacks and specialized tools to uncover vulnerabilities in your software.

Run-time verification is needed because some vulnerabilities don't manifest themselves until the application is actually in an operational environment. Along with performing security testing, we will review the threat models and compare them to the testing results and re-evaluate the attack surface.

TeamMentor™ - secure coding guidance system
TeamMentor™ is a sophisticated application security guidance system that delivers the collected experience of Security Innovation engineering to development teams of all sizes. In Wiki-like format, it provides on-demand, task based collections of secure development and testing knowledge, guidance and libraries to specific practitioners at the appropriate lifecycle phase - helping the entire team build more secure applications.

Training
Security Innovation offers the following computer-based and instructor-led courses that provide test teams with the skills they need to discover vulnerabilities prior to release. They include:

How to Break Software Security - learn how to leverage tools and innovative techniques for effective security testing
How to Break Web Software - become skilled at web application testing and uncover sinister Web site attacks
Security Testing BootCamp - a follow-on to How to Break Software Security that focuses on your application of choice

Financial Services Technology Retail Health Care Government Entertainment Private Equity

Vulnerability Analysis Training Software Security Risk

Overview TeamMentor eLearning Holodeck Checkmarx

About Us Newsroom Events Careers

Overview Authored Books Whitepapers Published Articles Webcasts Data Sheets 19 Software Attacks