System Analysis and Audits

Threat Models

Have you ever found yourself wondering about all these different accounts, permission levels and certificates being introduced into a product? Software architects and developers build them in to increase security and spend valuable development time on the topics. But the security consulting company you work with declares the same product an apocalypse and recommends rewriting everything? This is a typical example of missing threat modeling.

System Threat Modeling takes the entire system into account. To understand the security threats, a system or product needs to be put into the perspective of its application scenarios. Often, the features of a product pose more dangerous threats to the security in an application scenario than arbitrary security vulnerabilities would. In some cases, specific vulnerability classes (such as Cross Site Scripting) are highly critical while being almost irrelevant in another scenario with the same product.

A System Threat analysis considers non-technical attack vectors as well as mitigating factors. In many cases, successful attacks from related entities such as business partners or third parties are technically much more likely than from unrelated attackers in the wild. Such attack vectors need to be considered and are easier mitigated, often by non-technical means. Investigating and analyzing the possible attacks and mitigations and thoroughly documenting them reduces development and testing cost significantly and greatly improves the effectiveness of security work at all stages of the product lifecycle.

Audits

Before implementing a new software or appliance product in your production environment or rolling out the installation to all branch offices, a product audit allows you to verify the internal design and implementation security of a third party product. Based on the threat model, Recurity Labs thoroughly tests the product in the configuration scenario of the intended application. The goal of the audit is to verify the correct functioning of the product under hostile conditions.

Penetration Test

Recurity Labs does not perform penetration tests. Penetration tests aim at a maximum effect for the attacker while not providing a consistent level of results. They prove, if successful, that an attack is possible without providing any valuable data about the overall security of a network, hence facilitating a "just fix this one hole" attitude.

Network Assessments

Recurity Labs offers network assessment services to customers requiring a high accuracy and professionalism for the task. We understand network assessments as stocktaking of the currently running network infrastructure, providing measurements on a higher level than vulnerability assessments and giving dependable guidelines for future development of your infrastructure based on solid data. Recurity Labs constantly works on their own tools and technologies to improve the performance and dependability of assessments. We develop our own predictable TCP port scanner PortBunny to better serve our customers.