Software security consulting
Expert support for identifying and solving software vulnerabilities
Software security consulting
Software security consulting content can be modified in the Page Builder area.
Nowadays, it is not enough if our servers and networks are sufficiently protected. A software used and the components used in it must also be regularly checked for vulnerabilities. We have seen countless examples in recent years when hackers took advantage of the vulnerability of a component - or rather the vulnerability of the update protocol - to lock systems and demand a ransom to unlock them. Such cases not only cause a loss of income, but also a serious loss of prestige and image, ruining what the given company has carefully built over the years. In order to avoid this, protection must be started already in the software development phase and then regularly checked in the maintenance phase. Our company's experts can help with this, assess the given vulnerabilities, and then make suggestions on how to handle certain cases.
PREVENTION DURING SOFTWARE DEVELOPMENT
Careful protection must be started during development. Fortunately, we have many tools and methods at our disposal. One such method, e.g. In the case of the Java programming language, we include a step in the translation process that regularly checks whether we are using a component that has been found to be vulnerable. Such devices, e.g. the Dependency Check made by OWASP and the other is the Snyk checking tool. Both tools check the project files, detect dependencies and then check the found common elements in the component vulnerability database.
The tools mentioned above have so-called extensions for many development environments - such as Eclipse or Jetbrains development tools.
In case we found a vulnerability, we need to consider how to handle it. In the best case, a new release of the given component has already been prepared and the situation can be remedied by changing a version. If this is not feasible, another method must be used - e.g. by restricting access to network ports within the network as well.
PREVENTION BEFORE INSTALLING THE SOFTWARE
If our developed application is independent and does not depend on any external service (e.g. database), then our task is simple, because we checked everything during the development. Otherwise, the dependent services should be checked for any known vulnerabilities. If so, then of course we have to deal with the situation.
PREVENTION FOR DOCKER CONTAINERS
Nowadays, with the spread of the use of docker containers, the software development, testing and installation itself has become more efficient and simpler. In that case, docker containers can be a source of many dangers if obtained from an untrusted source. In general, all software vendors (e.g. Oracle, Redhat, Apache, etc.) create and officially publish the docker image containing their applications. Of course, there are also releases that differ from the manufacturer's version, in which case we have to be very careful and check the dockerfile itself to see how it was implemented - avoiding hidden (Trojan) vulnerabilities.
We also need to check the generated docker image, because it is possible that the service we want to use (e.g. database server) is fine, but the operating system on which the given service runs may contain components that are vulnerable.
It is possible to check both the dockerfile and the finished docker image with the tools of OWASP and Snyk.