oose.
Welcome to oose
English

security icon Security

Threat Analysis

In a threat analysis, the system is viewed from the perspective of potential attackers. This format has proven itself in many completely different projects: From alcohol meters and mobile web applications to communication protocols or access processes to private keys for software signatures, this type of structured brainstorming can be applied.

This combines the methodological knowledge of our security experts with the technical and project knowledge of the people involved in the project. The basis for the subsequent threat analysis is a common understanding of the system assets to be protected. All system assets are compiled here and then roughly prioritized. Another important preparation is to find out which attackers are likely to target the identified system assets and what motives these attackers are pursuing. Depending on the complexity of the application, the motives identified through brainstorming are summarized into 5-10 main motives. An attack tree is then created for each main motive. The main motive is the root node and each path from the leaf to this root node ultimately represents a possible attack on one or more system values in great detail. These measures are finally prioritized in consideration of their expected security gain for the system and the estimated effort required.

Penetration Test

We are happy to help you test the security of your applications. For example, we analyze the fingerprinting of the web server or information that can be found via search engines as well as information about other services running on your public web servers. We check whether outdated, vulnerable or insecurely configured services and applications are running on the servers, whether old backups are available or whether other, possibly undocumented, admin interfaces exist. The authentication mechanisms of your application are checked for their strength and circumventability. We look for ways that make it possible to execute actions or read data with certain privileges, such as a clearly defined role, that should be reserved for a higher privileged role.

Our experts systematically look for places where code can be smuggled into the application via user input. Among other things, this uncovers vulnerabilities such as cross-site scripting (XSS), SQL injection, XML injection, command injection or LDAP injection. We also use fuzzing to test whether your application behaves correctly in the event of an error and, for example, does not disclose any sensitive information in error messages. If you use cryptographic procedures, we will also take a close look at these.