CBIS Security Analysis & Evaluation Services

Design & Architectural Analysis

"Security by Design"

At CBIS Labs (formerly known as Clearbridge InfoSec), we believe security by design is imperative fundamental of a robust and secure system or software. Security by design simple means that the software or solution or system has been designed with security in mind. A good design may work well but it does not imply that it is secure. A good design without security consideration may be eventually a magnet to attract malicious attempts to probe the design for vulnerabilities and may result in catastrophic outcome such as an attack on vulnerabilitiy.

CBIS Labs has many years of hands-on experience in designing and architecting large enterprise solutions and products development with the fundamental principle of "Security by Design". Here, in CBIS Labs, we are the right partner with the expertise to provide design and architectual consultancy and analysis.

Binary Analysis

"Binaries are what machines execute and what attackers attack. Verifying binaries ensure that third party libraries, components packages and compiler vulnerabilities, backdoors and Trojans can be detected"

Economic, competitive and time-to-market pressures are driving enterprises to use third party applications from a myriad of sources as part of their application development process. While this mixed code base of unknown security quality is an undisputed artifact of modern application development, it also pushes liability onto the enterprise resulting in an unacceptable level of risk. Furthermore, the access of source code of third party applications is often limited and lacking. This makes traditional source code scanning a difficult option.

CBIS Labs, through its partnership with Veracode, a world leader in Binary Analysis, is able to provide agile binary analysis through a cloud-based delivery platform. This ensures a fast and affordable analysis for customers.

This binary analysis can add tremendous value in customer's pre-procurement evaluation process. Currently, common RFP evaluation process only involves paper evaluations or at most test units for functional testing. However, vendors are unlikely to provide any source codes for further evaluation. This puts risk on the procurement process. With this binary analysis, procurement agencies are now able to conduct very quick binary analysis and receive the analysis grading which can further give assurance to the security robustness of the product or solution.

This patented and innovative technology has re-defined the possibility of a truly "informed decision".

Extracted from Gartner Blog Network

Neil MacDonald, VP & Gartner Fellow, July 24, 2009

In the research we describe the three primary ways to perform static analysis:

• analysis of the source code

• analysis of the byte code of an interpreted language like Java or .NET

• analysis of the raw binaries of a compiled application (such as a C++application)

The latter two are important if you don't have the source code of the original application to analyze. For example, perhaps its a third-party application or perhaps the source code simply isn't available.

For more information on binary analysis, email us at contact@cbislabs.com.

Source Code Review

"A pair of trained eyes is like a Specialist Doctor, who can pick up signals that automated tools may not detect ..."

Manual source code review forms the basis of traditional security evaluation methodology. This methodology refers to the review of target source codes using manual trained expertise to identify potential backdoors, Trojans and vulnerabilities.

Though manual source code reviews are often time and resource intensive, such methodology not only complements automated analysis, it actually provides added level of assurance. Combining with automated analysis methods, trained manual source code reviews on targeted segments could detect signatures that are not yet formalized under the automated analysis database. Also, trained experts could add in heuristic intelligence reviews over the automated analysis.

The true effectiveness of manual source code reviews is a direct relationship to the degree of expertise in the review team. Just like in a Formulae One car race, one cannot win a race with just a powerful car, one needs a trained expert driver who knows how to push the car to the limit. This is where CBIS Labs excels. We are the experts in a manual source code review, we are the one that can push the evaluation to the limit.

Independent Verification Testing

"Trust but Verify"

Often vendors make claims on their products and solutions. It is equally important for users and customers to ensure that the products or solutions that they are purchasing, are performing as claimed. Unlike other analysis methods which target at finding flaws, Trojans and backdoors, in independent verification testing, the focus is on verifying that the products and solutions security properties are functioning as claimed.

Independent verification testing is not a generic functional test. Using a doctor as an analogy, independent verification testing is actually a specialist test. It is not going through a standard health screening, but seeing a specialist who can verify the heart of the product - security properties. Every product and solution is designed with a set of security properties - a set of security functions for it to fulfill its security objectives. For example, a hardware security module (HSM) is expected to securely generate and protect the cryptographic keys. A normal functional test can verify that the HSM can generate keys but does the HSM really generate secure and random cryptographic keys?

This is where independent verification testing comes in. CBIS Labs' Cryptographic Testing Laboratory has the capabilities to conduct detail independent testing to verify the randomness of the cryptographic keys generations, anti-tampering mechanisms and all cryptographic and security functionalities. With such verification tests conducted, customers can truly be assured that they are buying what they see.

Dynamic Analysis and Penetration Testing

"Stress testing product in real world - hostile world. Challenge the assumptions"

Often, good product development teams do design tests to verify the functions and performance of the product. However, the disadvantages of such tests often lie in the assumptions. All tests are formulated based on assumptions and being product development team, the assumptions made may not be comprehensive for various operating scenarios. Furthermore, even if the products by themselves have undergone numerous stress tests, when different products come together to form a system, potential gaps may surface to allow attackers to exploit.

The CBIS Labs Team has the ability to conduct dynamic analysis and running the targets of evaluation under hostile environment that emulates the real world scenario. Such red teaming or dynamic analysis aims to test the assumptions in similar way that an attacker would stress the system. The CBIS Labs Team also has a team of PenTest specialists who can perform application layer penetration testing on the target under deployment to find gaps that may not have been obvious.

Product Lifecycle Security Management (PLSM)

"Without regular reviews and proper security assessment on the patches and upgrades actually form a critical security gap that can overcome or invalidate all security assessment and risks that were completed earlier..."

A product may be properly evaluated and deployed at the point of initial deployment. As the product or solutions go into deployment cycle; patches, updates and upgrades often come in. Such patches and updates could be a "double-edged sword".On one hand, these patches and updates may increase the resilience of the product or solution to defend against latest attacks and risks. However, on other hand, without proper security assessment, such patches and updates could themselves be conduits for attacks to ride into the systems or solutions.

An entire security lifecycle management is required to ensure that the solutions are up to date and also the patches / updates will not compromise the security properties of these solutions.

CBIS Labs always takes the interest of the customers at heart. Proper security assessment and regular reviews provide assurance to system owners and users that the security vigilance remains high throughout the deployment cycle.

CBIS Labs doesn't just stay with the customers at the point of deployment. CBIS Labs stays with the customers till the end of the deployment for the solutions.

PCI Compliance Analysis

Quoting from PCI Org website - "The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands."

Merchants who sell products in the financial industry or payment card industry or merchants who operate payment card systems and solutions are required to comply with the PCI DSS.

Here at CBIS Labs, we provide quick PCI Compliance Analysis for vendors or end users who would like to measure the compliance level. The analysis report from CBIS Labs will provide a clear and comprehensive analysis on the level of compliance and where are the gaps in the products or solutions.