Code Review and Fuzzing
Many organizations have added code review to their internal software development and devops process. Cambrian Security can help take that effort a step further by providing on-demand experienced security consultants to help you identify vulnerabilities and privacy issues. We will also help you build and integrate automated security fuzzing tests into your software development and release process.
Code review engagements typically start with a general assessment of your architecture and then proceed with manual analysis and the creation of fuzzers (or code instrumentation) specialized to your application. You get to keep and freely use any fuzzers or specialized tooling we create to test the security of your application.
Cambrian Security will help you discover, prioritize and mitigate both security vulnerabilities and potential customer privacy issues.
During a penetration test, our team of experts will explore, evaluate and report on the security of your infrastructure. The scope of assessments may be strictly limited to a specific application or it may be wide open, targeting your entire operational infrastructure. Your incident response team may be tested or they may follow along and be part of the attack team. The goal is to identify vulnerabilities, validate defensive measures and proactively improve overall security posture.
Security incidents are costly. It is wise for businesses to regularly evaluate vulnerabilities or risks and their corresponding defensive counter measures. For example, we recommend you do a pentest against any new technology or application you introduce or plan to introduce into your infrastructure.
Penetration tests also help avoid privacy incidents that can result in fines or legal issues and generally put your brand reputation at risk. For example, we can discover particular exposures or application logic flaws that put customer data at risk and fix them before they are pushed to production.
All penetration tests result in detailed report that you can use to inform the immediate and long term improvement of your security measures. You can share these reports with your customers, investors or partners and show them your organization’s commitment to being proactive when it comes to your customers’ privacy and security.
Cambrian Security provides training courses that are customized to your organization and technology stack. These are not canned courses that teach people to use specific tools. First, we teach the fundamentals, such as common vulnerability classes or secure software development process best practices. Then we use customized exercises to build deeper understanding of those vulnerability classes as they specifically apply to your particular technology stack.
Typical training sessions may focus on web application vulnerabilities and their prevention or secure software development processes such as “secure AGILE” and “secure DevOps”.
Our Virtual Chief Information Security Officer service is designed for small to medium size businesses that would benefit from security expertise at the management level but do not have budget for an entire security department. We provide security leadership and guidance on creating processes and policies that foster the development of a secure enterprise.
We will work directly with your executive and management team to build strategy and architecture that meets your business needs but also minimizes security risks and privacy concerns. Security policies and procedures must be clearly communicated to all levels of the organization. This is achieved through training but also with architectural design for secure infrastructure and development processes.
Web or Mobile App Assessment
Web and mobile applications often represent the front-door to an organization. We will test your applications for security vulnerabilities and privacy risks. We will test for typical vulnerability classes (SQL injection, cross site scripting, etc) but we will also check authentication and user privilege controls for potential customer data leaks. For example, we always create two user accounts and then use one of those user accounts to attempt to access the data of the other user account.