Tag Archives: secure applications

TVS add Code Vulnerability Inspections to increase confidence in Application Security

Even when developers are following secure design principles and secure coding guidelines, mistakes are made. It is therefore recommended to perform automated code vulnerability scanning using a range of tools. The reports from these tools provide guidance on where vulnerabilities are most likely to exist.

This automated tool approach should be complemented with human expert code inspections to separate the true vulnerabilities from the false-positives, and also look for false-negatives the tools may have missed such as data encryption weaknesses bespoke to your applications and the context of their usage.

Security experts can then advise on remedial actions to apply and reinforce appropriate security controls, thereby preventing vulnerabilities from being exploited by threat agents.

The outcome should be an increased level of confidence that security risks are being identified and managed, rather than ignored or improperly handled.

Read more.

DVCon Call for papers Deadline Extended

DVCon Europe has announced an extension on the Call for Papers to 11th  May 2015. After a very successful launch conference in 2014 the conference returns again to Munich in November 2015. Papers for the conference should be in one of the following 4 topic areas:

  • System-level design
  • IP reuse and design automation
  • Verification & Validation
  • Mixed-signal design and verification

The Call for Papers requires authors to submit a proposal mainly consisting of a title, an abstract of approximately 100 words, a section that highlights your results including facts and figures, and references if appropriate.

Have you got a story to tell? Then tell it at DVCon Europe.

Read more.

TVS and ESS announce strategic partnership to provide a complete security solution

PRESS RELEASE

Bristol, UK, 16 March 2015TVS, a leader in software test and hardware verification solutions, and Embedded Security Solutions, a specialist embedded security consultancy, today announced a strategic partnership to provide asureSECURE a complete security solution from hardened SoC to software applications.

For hardware, TVS brings to the partnership its proven expertise in verification and a track record of having successfully executed complex end-to-end verification projects for some of the leading semiconductor chip providers across the globe. ESS brings to the partnership many years of embedded security experience, firmly grounded in the semiconductor industry and the development of complex SoC devices. ESS offers a world-class security architecture capabilityproviding specifications at SoC and hardware IP level as well as product review services. TVS also brings expertise in both software testing and application security where TVS helps clients to develop secure applications and then test them to demonstrate they are secure.

The TVS and ESS partnership is aimed at addressing the needs of semiconductor chip vendors and product manufacturers who are today facing increasing demands to adopt a stronger system wide security approach and need proven and reliable solutions capable of passing a variety of certifications. The joint expertise will help chip vendors and product manufacturers achieve first-pass silicon success reduce time-to-market, address the requirements of emerging market segments like IoT (Internet of Things) and systematically tackle the complexities introduced by increasingly demanding security requirements.

“TVS and ESS have proven capabilities to execute SoC verification and security implementation turnkey projects respectively. The TVS-ESS combination leverages this expertise to provide a full SoC implementation solution, The TVS software test and security expertise allows the partnership to offer full product security.” stated Mike Bartley, TVS Founder and CEO.

Paul Elliott, Founder and Director, ESS Bristol said, “By offering a comprehensive security specification, design, review and testing service, the TVS-ESS partnership helps chip vendors and product manufacturers enter markets with security requirements that have a steep learning curve and avoid mistakes in the security domain that are much more costly to remedy.”

Further information on TVS’s products and services is available at www.testandverification.com.

About TVS
TVS (Test and Verification Solutions Ltd) provides services and products to organisations developing complex products in the microelectronics and embedded systems industries.  Such organisations use TVS to verify their hardware and software products, employ industry best practice and manage peaks in development and testing programmes.  T& VS’ embedded software testing services includes onsite/offshore testing support including assistance with safety certification and security testing.  TVS’ hardware verification services include onsite/offshore verification support and training in advanced verification methodologies.  TVS also offers Verification IPs and its own Verification (EDA) signoff tool.

About ESS
ESS(Embedded Security Solutions Ltd) is a consultancy business drawing on over 40 years of collective experience in the semiconductor industry defining leading edge deep sub-micron system-on-chip (SoC) architectures. ESS specializes in securing embedded platforms for consumer products.

ESS provides services to organizations developing complex SoC based systems that require embedded hardware security and offers a comprehensive security requirements analysis and architectural specification service. Such organisations use ESS to bring expertise that is often not available in house, speed development and avoid costly mistakes. In addition ESS offers a security evaluation serviceand can perform a comprehensive review of your product against a target threat model. ESS will work closely with your development teams to support implementation and ensure first time silicon success, ESS services include onsite/offshore support.

TVS Company Contact
Dr. Mike Bartley – TVS
+44 7796 307958
[email protected]

ESS Company Contact
Paul Elliott- ESS
+44-7598425476
[email protected]

Why ISO 27001 only sets the floor on cybersecurity?

We will highlight how compliance with standards such as ISO 27001 only sets a floor, not a ceiling on security. Everyone in modern organisations, including the executives, now need at least a basic understanding of cyber security to ensure their responsibilities are being discharged in good faith. We can win this struggle, but we have to understand the issues first.

Register for a free Web Application Security briefing here.

Perimeter Defences are not sufficient for building secure applications

The paradigm of perimeter (network-centric) defence is now unable to keep up with malicious innovations that target the web applications, and that method of protecting assets is approaching a technical dead-end. Even if you double spending on perimeter defence, only a small increase in security would be achieved, and the return on investment would be very poor. It is crucial that cyber-security spending is targeted at preventing the real threats to your organisations, and not misplaced into unbalanced defences purely due to tradition.

Register for a free Web Application Security briefing here.

T&VS wins a place on the UK Government G-Cloud framework

PRESS RELEASE
Gcloud_logo

Bristol, UK, 10 February 2015 –T&VS, a leader in software test and hardware verification solutions, today announced it has been awarded a place on the UK Government’s G-Cloud 6 framework, providing public sector bodies with an easy and cost-effective route to engage with the company. T&VS will be offering software test and verification services, and security and penetration testing services, under Lot 4: Specialist Cloud Services (SCS).

G-Cloud framework suppliers offer their services to the public sector under standard terms and conditions at agreed rates. Suppliers and their services are listed on the Digital Marketplace online catalogue enabling public sector bodies to easily buy the IT services they need without going through a full tendering process.

One of the aims of G-Cloud is to increase the amount of business between SMEs such as T&VS and government bodies, and recent figures confirm this is happening. “G-Cloud has been the stand out success in the UK Government’s SME program,” said, Stephen Allott, Crown Representative for SMEs to the Cabinet Office.

Mike Bartley, T&VS Founder and CEO, commented, “T&VS has a proven track record of providing high quality and cost effective test and verification services for software to private sector organisations and engagements with public sector bodies are already underway. Winning a place on the G-Cloud framework will further ease and increase our public sector engagements. We are also offering our application security and penetration testing services under G-Cloud, which will be of considerable benefit to the public sector as they look to deliver highly secure cloud services.”

Any public sector organisations that need access to specialist test, verification or security services for their cloud IT projects can get in touch with T&VS directly at http://www.testandverification.com/contact-us/contact-us-form/ or via the Digital Marketplace at https://www.digitalmarketplace.service.gov.uk/.

Further information on T&VS’s products and services is available at www.testandverification.com.

About T&VS
T&VS (Test and Verification Solutions Ltd) provides services and products to organisations developing complex products in the microelectronics and embedded systems industries.  Such organisations use T&VS to verify their hardware and software products, employ industry best practice and manage peaks in development and testing programmes.  T&VS’ embedded software testing services includes onsite/offshore testing support including assistance with safety certification and security testing.  T&VS hardware verification services include onsite/offshore verification support and training in advanced verification methodologies.  T&VS also offers Verification IPs and its own Verification (EDA) signoff tool.

T&VS Company Contact
Dr. Mike Bartley – T&VS
+44 7796 307958
[email protected]

Media Contact
Oliver Davies – Publitek Technology PR
+44 1225 470000
[email protected]

The great OWASP resource on application security testing

Declan O’Riordan, head of security testing, T&VS Arulselvar Thomas, security expert, T&VS India

owasp
The reality is that applications written in .Net, PHP, and Java etc. are insecure by design, insecure by default and insecure in deployment. This is because their entire security model is based on the assumption that no malicious code will be executed in its environment.

Non-secure applications are a problem for nearly every business with an online presence and the more complex and interconnected an IT infrastructure becomes, then the harder it can be to secure the applications. More powerful web applications means more complicated code carrying a greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious players, bent on profiteering from data theft, or gaining online notoriety. In this article I would like to highlight different application security frameworks from OWASP.

OWASP

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It has been a registered non-profit Organisation in Europe since June 2011.

Why OWASP?

OWASP is a combination of national and international legislation, standards, guidelines, committees, and industry codes of practice. All online application security materials and frameworks are thoroughly reviewed by OWASP’s 30,000+ volunteers before being added under the brand of OWASP materials. Thus anyone can learn important lessons on application security from OWASP documentation. OWASP currently has over 142 active Information security projects, with new project applications being submitted every week.

Different OWASP security domains

An OWASP project is a collection of related tasks that have a defined roadmap and team members. The OWASP Top 10 vulnerability list is an example of a project that is very popular with both developers and testers. Initially OWASP projects concentrated on application security and addressed 95% of security issues across platforms such as .Net, PHP, and Java; releasing free tools and security resources in these areas. Due to market demand OWASP has now also started addressing the new potential security issues across domains such as smartphone technology, Internet of Things (IoT), SCADA Security, amongst others.

OWASP core values

OWASP’s Top 10 materials and best practice guidelines are aimed at both developers and security auditors to encourage more open source products and projects to handle effective security testing. Thus it helps the organization and other security researchers with cost effective security testing:

  • OPEN– Everything at OWASP is radically transparent from OWASP finances to OWASP code.
  • INNOVATION– OWASP encourages and supports innovation and experiments for solutions to software security challenges.
  • GLOBAL– Anyone around the world is encouraged to participate in the OWASP community.
  • INTEGRITY– OWASP is an honest and truthful, vendor neutral, global community.

OWASP guidelines

OWASP provides complete documentation guidelines to demonstrate application security across all domains. Maximum numbers of application security compliance controls are addressed by OWASP. This should help developers and testers to better understand their application security and achieve certification where required. OWASP also offers security standards and regulations which is a general application security framework addressing general application security guidelines and industry best practices such as:

  • BSIMM – The Building Security In Maturity Model
  • CMMI – Capability Maturity Model Integration
  • CLASP
  • CobIT -Control Objectives for Information and Related Technology
  • COSO -The Committee of Sponsoring Organizations
  • ISF – Information Security Forum’s (ISF) Standard of Good Practice
  • ITIL – Information Technology Infrastructure Library (ITIL)
  • ISO/IEC 27001:2005 27002:2005
  • HIPPA – Health Insurance Portability and Accountability Act
  • MS SDL – Microsoft Security Development Lifecycle
  • NIST Handbooks (e.g. the “800 Series”)
  • Octave
  • Open SAMM – Software Assurance Maturity Model
  • PCI DSS – Payment card Industry Data security standard

Conclusion

OWASP provides awareness and guidelines for web application security. The experts at OWASP have concluded that security vulnerabilities represent a serious risk to agencies and companies that have exposed their business logic to the Internet. Web application security problems are as serious as network security problems, although they have traditionally received considerably less attention. Attackers have begun to focus on web application security problems and are actively developing tools and techniques for detecting and exploiting them. Developers and testers need to respond and a great first step is to look at the OWASP Secure Coding Practices, Testing guidelinesASVS checklist and OWASP Top 10 lists.

What you should do

  • You need to educate your developers about OWASP’s application security framework.
  • You need to educate your functional testers to improve their test cases in respect to the basic OWASP security requirements.
  • Application owners should maintain awareness of the OWASP standard to reduce the risk of information security non-compliances.
  • Adopt OWASP best practices throughout the application development lifecycle.
  • Develop a culture where security is an ongoing process rather a onetime implementation consideration.

 

Free white papers on how to start building and testing secure web applications

The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:

      –  An explanation of Web Application Security Development and Testing

      – Guidelines for developers and testers to reduce the top ten application security risks

Download your free white papers now

References

      – OWASP – https://www.owasp.org/

      – Wikipedia – http://en.wikipedia.org/wiki/OWASP

      – DenimGroup – http://www.denimgroup.com/blog/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html

      – Critical Watch – http://www.criticalwatch.com/assets/c-Owasp-to-Wasc-to-CWE-Mapping-Tech-Paper-0710131.pdf