Newsletter

To make sure you never miss the release of our next article, vulnerability advisory, or just to keep up-to-date with the latest news and updates from Digit Security; sign-up to our newsletter!

Latest News
October 12, 2011
In a recent article published on ‘The Register’ [1], Trusteer have attempted to “rebuff[...]” the “bank security bypass claims” apparently made by Digit Security in an article published in the Times [2] on the 1st October 2011. The article is almost exclusively composed of what are presumably quotes from the CEO of Trusteer, Mickey Boodaei. [...] read more read more
September 7, 2011
In the recent 44con security conference held at The Grange Hotel in London UK, Neil Kettle of Digit Security Ltd gave a presentation detailing the design of just one of the protections that Trusteer claim their product, namely Trusteer Rapport is capable of providing users. The information disclosed detailed both the design and implementation of [...] read more read more
July 23, 2011
The first vulnerability advisory, albeit covering many vulnerabilities in and of itself, affecting Securstar DriveCrypt has been released. The vulnerability in question exists due to the improper validation of a user-supplied pointer within a structure passed as argument to the IOCTL interface exported from the globally accessible “\\.\DCR” device. An attacker exploiting this vulnerability may [...] read more read more
Contact Us
Home \ Software Security

Software Security Services

The security of a system is critically dependant on the security of the software running on that system. Providing assurances as to the security of that software has always proved difficult, and in the general case impossible. However, while techniques do not exist to provide a guarantee, it certainly is possible to limit the risks posed, effectively plugging the gap.

According to The Open Web Application Security Project (OWASP), "Code review is, with a doubt, the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort."

The efficacy of a manual code review process is evident, and easily demonstratable. A human reviewer can not only understand the context of code, but can also make a judgement on the use of certain coding practices, and thereby make a serious, yet accurate, risk estimate accounting for both "the likelihood of attack and the business impact of a breach."

Despite the many claims that code review is too expensive or time consuming, there is no question that it is the fastest and most accurate way to find and diagnose many security problems. There are also dozens of serious security problems that simply can't be found any other way. I can't emphasize the cost-effectiveness of security code review enough. Consider which of the approaches will identify the largest amount of the most significant security issues in your application, and security code review quickly becomes the obvious choice. This applies no matter what amount of money you can apply to the challenge.

Digit Security consultants have a long history of pro bono code review and reverse engineering of a wide range of software of varying complexity, ranging from local *NIX system binaries (CVE-2007-6276) to network services (CVE-2009-0849) to Operating System kernels (CVE-2007-4571, CVE-2008-1517, CVE-2009-1041). To learn more, see research.

In brief, key areas of our software security testing and assessment expertise include the following,

  • Code Review, according to The Open Web Application Security Project (OWASP), "Code review is, with a doubt, the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort."
  • Reverse Engineering, if the source code of the program is unavailable for review, what do you do then? reverse engineering is the "process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation". In the security sphere, reverse engineering is often limited to the discovery of software vulnerabilities and as such is often a necessary phase of the application security verification effort.

Research - Latest 3 Releases