At Fortego Security, we aim to offer one of the most
highly advanced security evaluation services available in the IT security
industry, e.g. to identify potential vulnerabilities in both your own
and third-party software. Doing so can prove to be a very valuable step
before acquiring new software to handle your organization's confidential
We can help you see through the abundance of empty
marketing promises like "this software uses strong encryption with billion
bit keys", help you to verify that the design of a product you're
interested is really secure, and finally help you confirm that the implementation
of this design is done properly and securely. To sum it up, we can help
your organization to chooe the software and systems having the security
functionality most suitable for your exact purposes.
How many applications are being released on the
market where strong cryptography is being thwarted by programmers using
hard coded encryption keys? We evaluate network security applications
before they are aquired and taken into production by you.
Can you determine if an ECB mode blockcipher is
suitable for encrypting bitmap images? Have a look at the image on the
right hand side and see for yourself what might happen when a very good
blockcipher is being used for the wrong task. Verifying beforehand that
your prospective security software investment or your own product design
is suitable for the intended job, might be the difference between total
security and total fiasco.
What if an one-time password authentication module
for a web server would use strong hash algorithms like SHA-1 to calculate
session cookies based on a low-entropy data set? Would the protected application
be secure from outside hackers? Most likely not. During our analysis we
can help you identify such potential vulnerabilities before the system
is put into production, sparing you the pain of finding it out the hard
way by yourself.
In addition to your proprietary software and third-party
products, we also analyze viruses, trojans or other malicious code that
might have infiltrated your organization. In connection to our
professional log analysis service, this knowledge has helped protect
several of our customers by discovering, identifying and blocking several
unknown trojans. Please see a few recent examples in the advisory list
We offer reviews on all levels of application
development and usage. Anything between theoretical design reviews, protocol
reviews, source code audits and pure binary audits. We do advanced manual
analysis, but are also familiar with tools like FlawFinder, RATS and Splint.
We can handle projects involving practically all widely used languages
and systems, including C, C++, C#, Java, Perl, Object Pascal, Visual Basic,
ASP and PHP.
When identifying potential vulnerabilities, you
often have to resort to reverse engineering and closed-source analysis.
In this area we are mostly focusing on the Microsoft Windows platform,
making use of most leading debugger , disassembler and analysis products.
We are also familiar with several kinds of packers, binary encryptions
and how to handle various anti-debugging obstacles. Even if our primary
focus is the Microsoft Windows platform, we do for example also evaluate
software for Linux, BSD or Solaris.
Our evaluation methodology is based on the international
standard "Common Criteria" ISO-15408 as a framework, especially the Vulnerability
Assessment class. We have sufficient knowledge to assume the role of an
attacker with a basic, moderate or high attack potential according to
the Common Criteria supplement specifications. We aim to estimate the
risk of identified vulnerabilities according to the associated Common
Criteria paper on Characterisation of Attack Potential, and we also work
with FIPS PUB 140-2 and the associated test requirements for evaluations
of cryptographic modules.
Please note that during our assignments we
do of course work with respect to applicable laws, e.g. regarding copyright
restrictions and such, and we do reserve the right to decline any assignment
which we deem to be illegal or unetichal in any way. Our goal is to help
organizations evaluate security and reliability of security software.
An encryption key compiled into a program might break security completely.
Even a good algorithm like Blowfish, with a 128-bit key, might not protect
a bitmap image very good if used in ECB mode.