At Fortego Security, we aim to offer one of the most highly advanced security evaluation services available in the IT security industry, e.g. to identify potential vulnerabilities in both your own and third-party software. Doing so can prove to be a very valuable step before acquiring new software to handle your organization's confidential information.

We can help you see through the abundance of empty marketing promises like "this software uses strong encryption with billion bit keys", help you to verify that the design of a product you're interested is really secure, and finally help you confirm that the implementation of this design is done properly and securely. To sum it up, we can help your organization to chooe the software and systems having the security functionality most suitable for your exact purposes.

Think First - Save Money

How many applications are being released on the market where strong cryptography is being thwarted by programmers using hard coded encryption keys? We evaluate network security applications before they are aquired and taken into production by you.

Can you determine if an ECB mode blockcipher is suitable for encrypting bitmap images? Have a look at the image on the right hand side and see for yourself what might happen when a very good blockcipher is being used for the wrong task. Verifying beforehand that your prospective security software investment or your own product design is suitable for the intended job, might be the difference between total security and total fiasco.

What if an one-time password authentication module for a web server would use strong hash algorithms like SHA-1 to calculate session cookies based on a low-entropy data set? Would the protected application be secure from outside hackers? Most likely not. During our analysis we can help you identify such potential vulnerabilities before the system is put into production, sparing you the pain of finding it out the hard way by yourself.

In addition to your proprietary software and third-party products, we also analyze viruses, trojans or other malicious code that might have infiltrated your organization. In connection to our professional log analysis service, this knowledge has helped protect several of our customers by discovering, identifying and blocking several unknown trojans. Please see a few recent examples in the advisory list below.

Design Review and Code Audit

We offer reviews on all levels of application development and usage. Anything between theoretical design reviews, protocol reviews, source code audits and pure binary audits. We do advanced manual analysis, but are also familiar with tools like FlawFinder, RATS and Splint. We can handle projects involving practically all widely used languages and systems, including C, C++, C#, Java, Perl, Object Pascal, Visual Basic, ASP and PHP.

Reverse Engineering

When identifying potential vulnerabilities, you often have to resort to reverse engineering and closed-source analysis. In this area we are mostly focusing on the Microsoft Windows platform, making use of most leading debugger , disassembler and analysis products. We are also familiar with several kinds of packers, binary encryptions and how to handle various anti-debugging obstacles. Even if our primary focus is the Microsoft Windows platform, we do for example also evaluate software for Linux, BSD or Solaris.

Common Criteria

Our evaluation methodology is based on the international standard "Common Criteria" ISO-15408 as a framework, especially the Vulnerability Assessment class. We have sufficient knowledge to assume the role of an attacker with a basic, moderate or high attack potential according to the Common Criteria supplement specifications. We aim to estimate the risk of identified vulnerabilities according to the associated Common Criteria paper on Characterisation of Attack Potential, and we also work with FIPS PUB 140-2 and the associated test requirements for evaluations of cryptographic modules.

Please note that during our assignments we do of course work with respect to applicable laws, e.g. regarding copyright restrictions and such, and we do reserve the right to decline any assignment which we deem to be illegal or unetichal in any way. Our goal is to help organizations evaluate security and reliability of security software.

An encryption key compiled into a program might break security completely.

Even a good algorithm like Blowfish, with a 128-bit key, might not protect a bitmap image very good if used in ECB mode.