MEFORMA methodology for manual security audits

MEFORMA is a practice-oriented IT product security evaluation methodology, it combines techniques from well-known international standards and guidelines, like the Common Criteria or ISACA's COBIT, with effective, practice-oriented IT product evaluation and testing practices based on

• evaluating proof of correctness,
• cross-referencing with database of formerly known vulnerabilities, and
• deep, bit-level analysis of the system based on human intelligence.

MEFORMA provides elaborated techniques to evaluate the Target of Evaluation with different levels of scrutiny corresponding to the assumed attack potential level of adversaries.

• black-box testing for low attack potential adversaries
• reverse engineering for medium attack potential adversaries
• source code analysis for high attack potential adversaries

For more information click here.

A dedicated development team continuously develops MEFORMA, following up actual security trends, audit guidelines and professional techniques. MEFORMA has been successfully used in dozens of evaluation projects and discovered thousands of implementation, design and architectural deficiencies.

Evaluation and testing processes are done within SEARCH-LAB's secure testing laboratory, which meets state-of-the-art security requirements and is equipped with the necessary hardware and software tools to execute vast number of test cases in parallel in a time-efficient manner.

A manual security audit type evaluation uses human intelligence and sampling based testing techniques. Usually it can detect a large part of weaknesses and implementation bugs, but even then, this approach is good only for measuring the security level of the target of evaluation. This means that after correcting the found bugs and avoiding the discovered weaknesses, many others may remain. To provide remarkably better test coverage, SEARCH-LAB developed its own automated security and robustness testing framework called Flinder, which can execute a vast number of special tests and discover the majority of typical security relevant implementation bugs. After correcting the found bugs, as a result, the overall code quality of a system will remarkably improve. For more information about Flinder and automated test services click here.

Typical MEFORMA project setup

A typical MEFORMA security auditing project comprises of the following project phases:

Preparation phase (1-3 weeks)

• Test environment setup
• Evaluation Plan

Security evaluation phase (5-8 weeks)

• Manual evaluation
• Evaluation Report

Analysis & recommendation phase (1-3 weeks)

• Risk analysis
• Audit Report

Review phase (8-12 weeks)