![SECURE@IOACTIVE.COM
HTTP://WWW.IOACTIVE.COM
TOLL FREE (866) 760-0222
|K R
About IOActive
: 12
8 bits
)
Established in 1998, IOActive is a professional services consulting firm
(KL
ck specializing in information risk management and application security analysis for
Blo global organizations and B 0
Key software development companies.
Unlike commoditized network security services and off-the-shelf code scanning
tools, IOActive performs gap analysis on information security policies and
protocols, and conducts in-depth analysis of information systems, software
architecture and source code by using leading information risk management
security frameworks and carefully-focused threat models.
B1
Q2
As a home for highly skilled and experienced computer security professionals,
fK IOActive has attracted the likes of Dan Kaminsky, Jason Larsen, Darek Milewski,
D1
Ward Spangenberg, and Ted Ipsen; key advisors like Steve Wozniak; and a crew of
unequivocally talented "white-hat" hackers who, before being asked to host the
infamous Capture the Flag at Def Con, owned the competition three years in a row.
B2
Another data-point reflecting the talent of our consultants is the fact that
A1 IOActive is one of only three firms in the world that were tasked by Microsoft with
Q3
f K the security code review of the Vista client operating system.
D2
Application Security Services Advisory & Risk Managment Services
3} 87(=G5C<7H345>BD? 87-/H7I5E5>3A;5D<7CD47&;A>5;5D<C<B3D
87$AA>B2C<B3D7'3457/5EB5F 2+
87&,)7VWXXY797YWWZZ7&;A>5;5D<C<B3D
77777{'9'88K77L*-(K7'MK7NCECK7I5>A=BK7$,HK7%5G>} BN/
87,52TGB<@K7%GBEC2@7[7&(7$T4B<7'3:,3TG2BD?
8765O7$AA>B2C<B3D7'3457/5EB5F7 / 2+
87'3;A>BCD257$JJ5JJ;5D<J
A 2 $,%L*-(K7'MKNCECK7%P%} +2 QN
f D N/ 287(=BG4:ACG<@7IT57IB>B?5D257/5EB5FJ
77777{ 87%'&7IC<C7,52TGB<@7,<CD4CG4
K
87Q>C2R7Q3S7$AA>B2C<B3D7%5D:(5J<
87%G34T2<7-EC>TC<B3D7{F=B<57O3S9O>C2R7O3S}
Training Services
Infrastructure Audit Services 87$4ECD2547$JAL*5<7-SA>3B<J7CD47'3TD<5G;5CJTG5J
} 871T>D5GCOB>B<@7(5J<BD? 876GB<BD?7,52TG57'3457L*-(7CD47NCEC
+
K 6 87%5D5<GC<B3D7(5J<BD?
{ K4
,
B N/ 2
87/CAB47$AA>B2C<B3D7(=G5C<7H345>BD?
+2
A /2
87(=57,52TGB<@7I5E5>3A;5D<7#B]52@2>5
IncidentNResponse Services
87)D7'C>>7'3D<GC2<JK f 87P3F7<37/5JA3D47<37C7,52TGB<@7QG5C2=
+3
87*5<F3GR7U>3F7IC<C7$DC>@JBJ D N/2
87,52TGB<@7&D2B45D<7/5JA3DJ57,5;BDCG
87IBJR7#5E5>7$DC>@JBJ
its
}
87II3,7HB<B?C<B3D7 32 b
K N +5
4,
{ K N+
+3
A N/ 2
fK](https://image.slidesharecdn.com/applicationsecurity-110826052751-phpapp01/85/Application-security-4-320.jpg)
Application security
- 1. %1'*'$2#3*452)67"8%98%:8%'/0%;;%<0%$27($)*=>--0? #! #!" !" $%%#&'$(&)*+,-'./&(0+,-/1&'-, 2345+/-1&-6789:7;5<=343>3?@ 87$AA>B2C<B3D7'3457/5EB5F %@7$1)6%;%*!"#$%&0%A#55B!*52)67"%C%:0? 87(=G5C<7H345>BD?7,5GEB25 87,I#7&D<5?GC<B3D7,5GEB25 87(GCBDBD?7,5GEB25J %1'*'$2#3*@7$1)68%:8%52)67"8%'/0%D;%52)67"0% %'$22*@7$1)60? %$27($)*=>--0? %25@2 JKK-,LJM,N=HO.L>P,MQHO.PT,L.O RRRS, NJLM,T.SLNU %$27($)*@7$1)60? IOActive COMPREHENSIVE COMPUTER SECURITY SERVICES %1)7%A#1)*1)7%#$6!8%!"#$%&#$6EFG0 %@7$(!7%7!/"3$%&7!/? %@7$(!7%1/"3$%&1/? %@7$(!7%/!#/H/I7"3$%"? %@7$(!7%/!#/%&/!#/H3?
- 2. 01.2!""#$%!&$'(2 *+%,-$&.2*+-/$%+*3 Secure software is a subset of quality software and reliable software. At IOActive we are committed to helping our clients produce better quality software through our holistic approach of enabling competitve and efficient business through the adoption of secure software programming practices. IOActive was chosen by Microsoft as one of three firms in the world to perform source +&1-*2$1'(34 5)*3-1"()1-*'(*'6-*#&37-1'* code security review for the Vista operating system. 8)(0)*%(9"3(9$1-*(:* :$)&)%$&#*,&'&*'(*,&'-;* +&3,<41'-91*<(#='$()1*6&1* &73--,*'(*1-''#-*>-,-3&#* While it is impossible to prevent every attack, it is estimated that ?3&,-*+(99$11$()*%6&37-1* nearly half of all application security vulnerabilities are completely '6&'*+&3,<41'-91@*:&$#=3-* '(*'&8-*&""3("3$&'-* preventable—if security is considered as a normal part of the 1-%=3$'4*9-&1=3-1*'(* "3('-%'*'6-*1-)1$'$/-* development process. Whether you are an IT manager, developer, $):(39&'$()*(:*'-)1*(:* 9$##$()1*(:*%()1=9-31*0&1* program manager, CIO, CISO, or CTO, your organization, users, &)*=):&$3*"3&%'$%-*'6&'* /$(#&'-,*:-,-3&#*#&0A* and customers depend on you to protect the privacy and integrity !%%(3,$)7*'(*'6-*>?+;*'6-* 1-%=3$'4*B3-&%6*3-1=#'-,* of their information, and to ensure system availability. $)*9$##$()1*(:*,(##&31*$)* :3&=,=#-)'*"=3%6&1-1A*?6-* 1-''#-9-)'*0$##*3-C=$3-* Engaging IOActive provides you access to industry-leading +&3,<41'-91*'(*$9"#-9-)'* &)*$)D,-"'6*$):(39&'$()* software security expertise and an experienced, mature firm 1-%=3$'4*"3(73&9*&),* (B'&$)*&=,$'1*B4*&)* that is committed to the success of your project and organization. $),-"-),-)'*'6$3,D"&3'4* -/-34*('6-3*4-&3*:(3*'6-* )-E'**FG*4-&31A** !,,$'$()&##4;*H5<!*&),* !9-3$%&)*IE"3-11*)('$:$-,* +&3,<41'-91*'6&'*'6-4* 0$##*)(*#()7-3*,(*B=1$)-11* 0$'6*'6-9A* 8 out of 10 internet security attacks are using port 80/HTTP to compromise system security. (Source - Information Security)
- 3. Software Analysis tools are useful but they are no replacement for human beings performing manual code reviews. No tool will replace humans. Michael Howard / David LeBlanc Writing Secure Code 2nd Edition 4567898:8;< IOActive delivers customized application security services based on our clients’ development process and deployment or product-ship requirements. We believe that through a Security Development Lifecycle (SDL), security considerations and protective measures should be incorporated into all phases of a project, from <'&'$1'$%1 design review through development, testing, and into deployment. By embedding security measures into the *5=>?@6<2@AB5C6D5A6C2DE952@A2 overall development process in this way, organizations can help ensure that software vulnerabilities are =?5E6@A;2C5=>?52=89@A;2 detected and addressed before they result in lasting damage. To assist our clients in this process, IOActive F?E=6@=5C22G@::2?56>?A22HIJIHK2 offers the following services: 8L28B5?E::2F?8M5=62=8C6CN22 !""#$%&'$()*+(,-*.-/$-0 ?63-&'*J(,-#$)7*<-3/$%- *5=>?@6<2@AB5C6D5A62DE952 IOActive manually audits client source code to identify IOActive’s threat modeling service is designed to occur early 9>?@A;295C@;A2F7EC52G@::2<@5:92 vulnerabilities. We then document the location and nature in the project lifecycle and can be used to find security 8?;@A@OE6@8AC2E2IHK2-'$N22$L2 of each problem we find, and advise developers on how to design issues before a single line of code is written. address the immediate problem, and avoid similar problems Organizations leveraging this service have found that it often C5=>?@6<2@C2A862@A=8?F8?E6592 in the future. Because software development is evolutionary leads to significant project cost savings because issues are >A6@:267522@DF:5D5A6E6@8A2 and iterative, IOActive recommends that the code audit resolved early in the development lifecycle. function reflects the structure of the development process F7EC5P28?;EA@OE6@8AC2G@::2 and includes audit checkpoints for each of the major product stages: alpha, beta, and release-candidate. In addition to *5=>?@6<2V5B5:8FD5A62 Q5A5L@62L?8D2E2HRK2-'$N22$L2 source code review, IOActive examines vulnerable points in #@L5=<=:52$A65;?E6@8A2 8?;EA@OE6@8AC27EB52F7EC592 design (such as legacy interoperability) for design flaws that IOActive’s SDL integration service is designed to help C5=>?@6<2@A682675@?265C62=<=:5P2 may result in a security compromise. IOActive works with organizations integrate security into all phases of the HIK2-'$28L2686E:2F?8M5=62 client development teams to help them ensure that their software development process. Our consultants work products are demonstrably hardened against attack; designed alongside an organization’s project managers, security =8C6CN2J2*6>9<2=8A9>=6592Q<2 and built based on relevant analysis of risks, threats, and architects, and coders to identify efficient methods for S5B@A2*88218824$&P2!A9?5G20N2 exposures; and appropriately tested to meet their defined integrating security into the overall development process. security criteria and functionality requirements. *>9Q>?<P22!A9?5G2TEU>@67 Covering the complete lifecycle of software development, from conception to deployment, IOActive reviews practices IOActive consultants have years of code auditing experience, and tasks, providing strategic recommendations for the and routinely assist organizations with highly complex and implementation of a security-focused development lifecycle, advanced application security challenges. and identifying opportunities to increase the effectiveness of For more information risk management for the enterprise. about our services + Application Code Review please contact: {C/C++, .NET, JEE, Delphi, ASM, Perl} ?3&$)$)7*<-3/$%-1 + Web Application Code Review SECURE@IOACTIVE.COM {ASP.NET, C#, JEE, PHP} IOActive believes that education is critical to delivering TOLL FREE (866) 760-0222 + Black Box Application Pen-Test secure software. Our training helps developers understand + Product Evaluation and Recommendation {white/black} how to design, build, test, and deploy secure systems. With + Reverse Engineering Software and Protocols years of real-world experience, IOActive’s instructors craft + DRM Testing customized curricula presented in an engaging classroom + Fuzz Testing // Application and Protocol environment to maximize learning potential. + M&A due diligence + Advanced Asp.Net Exploits and Countermeasures + Writing Secure Code: .NET and Java + Rapid Application Threat Modeling + The Security Development Lifecycle &$'()*+%,-$&.)*+-/$%+*
- 4. SECURE@IOACTIVE.COM HTTP://WWW.IOACTIVE.COM TOLL FREE (866) 760-0222 |K R About IOActive : 12 8 bits ) Established in 1998, IOActive is a professional services consulting firm (KL ck specializing in information risk management and application security analysis for Blo global organizations and B 0 Key software development companies. Unlike commoditized network security services and off-the-shelf code scanning tools, IOActive performs gap analysis on information security policies and protocols, and conducts in-depth analysis of information systems, software architecture and source code by using leading information risk management security frameworks and carefully-focused threat models. B1 Q2 As a home for highly skilled and experienced computer security professionals, fK IOActive has attracted the likes of Dan Kaminsky, Jason Larsen, Darek Milewski, D1 Ward Spangenberg, and Ted Ipsen; key advisors like Steve Wozniak; and a crew of unequivocally talented "white-hat" hackers who, before being asked to host the infamous Capture the Flag at Def Con, owned the competition three years in a row. B2 Another data-point reflecting the talent of our consultants is the fact that A1 IOActive is one of only three firms in the world that were tasked by Microsoft with Q3 f K the security code review of the Vista client operating system. D2 Application Security Services Advisory & Risk Managment Services 3} 87(=G5C<7H345>BD? 87-/H7I5E5>3A;5D<7CD47&;A>5;5D<C<B3D 87$AA>B2C<B3D7'3457/5EB5F 2+ 87&,)7VWXXY797YWWZZ7&;A>5;5D<C<B3D 77777{'9'88K77L*-(K7'MK7NCECK7I5>A=BK7$,HK7%5G>} BN/ 87,52TGB<@K7%GBEC2@7[7&(7$T4B<7'3:,3TG2BD? 8765O7$AA>B2C<B3D7'3457/5EB5F7 / 2+ 87'3;A>BCD257$JJ5JJ;5D<J A 2 $,%L*-(K7'MKNCECK7%P%} +2 QN f D N/ 287(=BG4:ACG<@7IT57IB>B?5D257/5EB5FJ 77777{ 87%'&7IC<C7,52TGB<@7,<CD4CG4 K 87Q>C2R7Q3S7$AA>B2C<B3D7%5D:(5J< 87%G34T2<7-EC>TC<B3D7{F=B<57O3S9O>C2R7O3S} Training Services Infrastructure Audit Services 87$4ECD2547$JAL*5<7-SA>3B<J7CD47'3TD<5G;5CJTG5J } 871T>D5GCOB>B<@7(5J<BD? 876GB<BD?7,52TG57'3457L*-(7CD47NCEC + K 6 87%5D5<GC<B3D7(5J<BD? { K4 , B N/ 2 87/CAB47$AA>B2C<B3D7(=G5C<7H345>BD? +2 A /2 87(=57,52TGB<@7I5E5>3A;5D<7#B]52@2>5 IncidentNResponse Services 87)D7'C>>7'3D<GC2<JK f 87P3F7<37/5JA3D47<37C7,52TGB<@7QG5C2= +3 87*5<F3GR7U>3F7IC<C7$DC>@JBJ D N/2 87,52TGB<@7&D2B45D<7/5JA3DJ57,5;BDCG 87IBJR7#5E5>7$DC>@JBJ its } 87II3,7HB<B?C<B3D7 32 b K N +5 4, { K N+ +3 A N/ 2 fK