SecurityBitnux are highly skilled in security and can offer a wide spectrum of security related services. We can either contribute with entire system solutions including for instance firewall, VPN and intrusion detection (IDS) or give support to your own technicians when problems arise or when new functionality is to be introduced.
Code Review Code Review For companies and institutions that develop their own software we can offer an independent review of the source code to identify security flaws and suggest or implement solutions for them ourselves. We are experienced with development in languages such as C, C++, Object Pascal (Delphi/Kylix), Java, Javascript, Tcl, Perl, PHP and shell scripts and are used to identify flaws at both source code level and in the form of logical flaws. Secure programming is unfortunately an art that is rarely teached in schools so far and there is little literature on the subject, often security flaws arise due to programming language specific peculiarities that the hackers themselves are most knowledgeable of. We can also educate your own programmers to make them aware of the risks. Web services and all software that acts as a client or server on some type of computer network as well as software that is executed with increased privileges (SUID/SGID programs on Unix systems for instance) are common targets of attack for hackers. Source code review is the best way to identify security flaws and is highly recommended regardless if you want to protect your information, your money or just your reputation. Firewall, VPN-server and intrusion detection system (IDS) are examples of what we can contribute with to your network. We are also competent with PKI and SSL in case you need to securely exchange information or establish connections over unprotected computer networks, such as the Internet. We are supporters of open systems since we believe that the availability of source code is of utter importance to assure that security is high on all levels. Therefore we preferably work with systems such as Linux, OpenBSD or FreeBSD when possible. One of the advantages with open source is that it allows review so that security flaws can be discovered, it also means that we are able to fix security flaws by ourselves and implement new features when needed. For those of you that have already taken precautions to increase your security but want to confirm that it withstands a real hacking attempt we offer so called penetration tests where we from the outside try to identify flaws and gain access to your network and your servers. We use the same methods as the hackers to give you a realistic idea of how exposed you are to intrusion attempts and give you a detailed report with suggestions on actions to be taken. We also perform internal penetration testing, where we test your security from within your local network. Internal penetration tests do not necessarily only show you how exposed you are to insider attacks from your own employees. Security flaws in client programs like the mail client or web browser used to implant a trojan that establishes an outgoing connection to the attacker is one example of a method that can be used to access your company's LAN, where security is often weak since one have put too much trust in perimeter protection such as firewalls. For those of you that work with for instance penetration testing yourselves and need tools to use certain security flaws during your work we can develop exploits. We can also give our assistance to your own technicians and programmers during the analysis of security flaws. We can give general support and counselling to your technicans and system administrators when security measures are to be introduced, when security flaws are discovered or when an intrusion has occured. If you work with security yourselves we can educate your personnel in practical analysis of current security issues, code review with the purpose of finding exploitable bugs and techniques to develop exploits for bugs such as:
Knowledge in C-programming is a prerequisite, but the level is individually adjustable of course. The length, extent and form of the training is dependent on the participants previous knowledge and how deep they want to delve. Practical assignments and theoretical lectures are alternated and help given when needed. This training is fairly unique in its kind and is aimed towards both the independent security consultant and the security companies that wants to be at the top knowledge wise. The participants are given a detailed written judgement based on their knowledge and achievements during the training.
|