Service comparison

MEFORMA manual security audit methodology

Flinder automated security and robustness testing framework

MEFORMA combines techniques from well-known international standards and guidelines, like the Common Criteria or ISACA's COBIT, with effective IT product evaluation and testing practices based on

  • evaluating proof of correctness,
  • cross-referencing with database of formerly known vulnerabilities, and
  • deep, bit-level analysis of the system based on human intelligence.

Flinder can discover typical security-relevant programming bugs and detect potential vulnerabilities by generating, executing and evaluating a vast number of special test vectors. It uses intelligent fuzzing, reactively iterating test algorithms and generic, protocol independent test cases, which can be easily extended with special, plug-in test methods, and can be easily customized to any protocol.

 

Comparison of services
 

IT Security audit services

IT security testing services

Advantages

Based on human intelligence, it can find even special security issues related to the specification, architecture or implementation deficiencies.

It can find the majority of typical programming bugs (e.g. buffer overflows, code/SQL injection, encoding and other robustness problems) responsible for the biggest part of the exploitable security vulnerabilities. Correction of found bugs remarkably increases code quality.

Application areas

Any IT system, including software, hardware and embedded products
  • From arbitrary file formats to complex protocols (described in UML statecharts)
  • Platform independent
  • Easy customization

Scale

From some ten to a hundred evaluation steps

From some thousands up to several ten thousands test cases

Complexity

Black-box evaluation

  • Without any internal information

Reverse engineering

  • Assuming adversaries with high-attack potential, reverse engineering of internals should be considered

Source code analysis

  • Code review of implementation details

Basic structure complexity

  • Only simple formats and elements

Standard structure complexity

  • Compression algorithms (e.g. ZLIB, RLE)
  • other special encodings (e.g. ASN.1, DER, XML/SOAP)

Professional structure complexity

  • Cryptographic operations:
    • hash computation (e.g. MD5, SHA1)
    • symmetric key encryption (e.g. DES, 3DES, AES)
    • asymmetric key encryption (e.g. RSA)
    • symmetric digital signatures (e.g. HMAC)
    • asymmetric digital signatures (e.g. DSS, RSAwithSHA1)

Project phases

Preparation phase (1-3 weeks)

  • Test environment setup
  • Deliverable: Evaluation Plan

Preparation phase (1-4 weeks)

  • Test environment setup
  • Customization
  • Deliverable: Test Plan

Security evaluation phase (5-8 weeks)

  • Manual evaluation
  • Deliverable: Evaluation Report

Test Execution phase (1-3 weeks)

  • Automated test execution
  • Deliverable: Automatically generated test reports

Analysis & recommendation phase (1-3 weeks)

  • Risk analysis
  • Recommendation collection
  • Deliverable: Audit Report

Evaluation & recommendation phase (1 weeks)

  • Risk analysis
  • Recommendation collection
  • Deliverable: Test Report

Review phase (8-12 weeks)

  • Deliverable: Review Report

Regression testing phase (8-12 weeks)

  • Flinder Re-run tool
  • Deliverable: Regression Report

 

 

Find out more about
MEFORMA manual security audit methodology here.

 

Learn more about
Flinder automated security and robustness testing framework here.

 

Contact us at
sales@search-lab.hu
to request a proposal.
Design: Visualia
© SEARCH-LAB Ltd | Budafoki út 91., Budapest 1117, Hungary | phone/fax: +36-1-205-3098 | info@search-lab.hu