Co

cloudbreaker.co -- an AppSec company

Perimeter-based and layered architecture are not the holy grail of security anymore. An important enterprise software should be built with the presumption of possible direct attacks. Neither a script kiddie nor a well-prepared attacker should be able to get a grip on the application.

The Cloudbreaker Co. is an expert of software vulnerabilities and security quality assurance.  We install application security knowledge, methods and practices into the workshops of enterprise software development. From planning to testing we enhance the production so that even an experienced intruder would not be able to compromise the application. We provide complex AppSec support, on-demand code-review, training and penetration testing. We implement SeQA*, a security quality assurance system. We can leverage on our decade long experience of developing security software for banks. The members of our company are the founders of Hungarian Chapter of OWASP, as well.

* SeQA (Security Quality Assurance) –
an AppSec policy usable even in the central-european enterprises. It contains SSA requirements and methodologies, technological-specific instructions, a subcontract amendment on undertaking vulnerability-free releases, training plan and scoring engine.

Our AppSec policy enables enterprises to buy secure software or to have them developed.

SeQA as an enterprise standard:

  • a significant step in securing applications and data;
  • easy to employ by the developers, can become a routine in development;
  • instructions derived from authoritative sources (eg. SANS Institute, OWASP, MS SDL);
  • its TCO is favorable relative to renowned international standards;
  • provides adequate procurement requirements;
  • can be demanded in a correct way in development contracts.

(☞  More on SeQA  ♨)

** Our company has a decade-long experience in enterprise security solutions. The security consultation grew out of implementing IAM in the banking industry. (Our innovative IDM solution was honored by a renowned european award as well.)

The cloudbreaker.co is the AppSec and EH branch of azd.security Kft. that used to concentrate on web application vulnerability assessments.

Main references of the company:
Budapest Bank (GE Money Hungary), GIRO Zrt., IHM/ITKTB, Hong Kong Immigration Office.

Main references of the Cloudbreaker branch:
AEGON Hungary, Foxconn Hungary, Országleltár.gov.hu, EUB.

Tha SeQA policy was created in cooperation with the Law Office of Agnes Dudas Dr. The Cloudbreaker is the founder of the consortium that consists of the experts and workshops of enterprise security. Members of this ES consortium:
Silent Signal (ethical hacking), Law Office of Agnes Dudas Dr, Péter Rónaszék (ISO27001), Formula/400 (security-aware development).

AppSec trainings

Secure coding

The biggest reason for the proliferation of vulnerable applications is the fact that developers are unaware of actual typical vulnerabilities and the – usually simple – ways to avoid them. Developers, on the other hand, are quite keen on learning secure development practices related to the technologies they employ; thus there is a convenient and simple way to address one of the main sources of security problems, and it has positive HRM outcomes as well. Cloudbreaker came into being on the grounds of a recognized development workshop; hence, our trainers possess appropriate competence and authority to create an educational atmosphere.

Our courses on secure coding are focused on different widely applied development technologies (e.g. JEE, .NET, PHP). During the half-day or two afternoons long training program developers may also learn the fundamentals of secure software development and adopt the way of thinking it requires.

Our training course provided to other selected members of the development process is also noteworthy – see Security champion training program below.

Thematic courses

  • General IT security awareness
  • Secure web development
  • Secure development in .NET
  • Secure development in Java
  • Secure development in PHP
  • Security testing of web applications
  • MS SDL training

The kind of education we provide is not limited to secure coding only. Our training topics include code analysis, penetration tests and security audits as well. We are glad to transfer our experience as consultants and ethical hackers.

Security awareness evangelization in enterprises

The topic ‘General IT security awareness’ mentioned above is intended not only for developers; improving information security knowledge may be essential for many other actors of the enterprise. Security problems concerning enterprise software are related also to the fact that the business/procurement party department lacks sufficient security awareness as well so security can not be part of the business definition and procurement requirements.

In a joint effort with our training and internal communication partners, we try to make information on application security and risks available to all concerned parties and advertise responsible handling of problems. Besides education, another key area of intervention is the promotion of the injecting security awareness in organizations so that it genuinely infiltrates all activities there.

AppSec services/consulting

Adding security to development projects

SeQA, the Security Quality Assurance framework we develop provides a system for the installation of application security practices into organizations and their operation thereafter. However clients can implement SeQA-like measures on their own, they may request the assistance of Cloudbreaker or other counselling agencies to do so. Our services detailed below can also be employed to complement the application of an AppSec regulation.

Our services can also be used individually, as AppSec expert support of development projects (be it either outsourced or internal development):

Threat modeling

In order to build appropriate security, it is important to recognize and consider potential attacks and identify the appropriate protection techniques.

We strongly recommend using this expert service during the planning stage of development projects. Even in case of a limited budget, it is essential to schedule at least one consultation with a professional experienced in security matters, especially concerning attacks. When, in turn, security quality is of critical importance, it is advised to rely on the results of a more systematic threat modeling.

Architecture consulting

Application security competence is necessary to employ at least during the planning stage of software development. The participation of an experienced security expert in the architecture team ensures the enforcement of security aspects in decision making related to project design, and guarantees high professional standard in the planning of security functionality.

Security champion training

Involvement of a security champion is recommended by the MS SDL secure development process methodology advocated by us. In order to prevent any misunderstanding: this person is not a security expert but a key member of the development team, who is there to represent security aspects in the everyday practices of development, e.g. during development and evaluation meetings, at every moment of preparation and decision making.

For this purpose, the given person should accomplish security courses in a devoted manner, and participate in a short training program in order to be able to fulfill this responsible role.

Security testing built into development

A few decades ago development workshops and clients had a hard time acknowledging that quality assurance and testing was an important and integral part of the development process, requiring special expertise; by the same token, security testing is not yet given its due place and significance.

Our goal is to help integrating test cases related to security quality in testing scenarios and make the security requirements check part of the continuous integration (CI) process.

Designing SSDL practices and activities

Integration of secure software development into corporate development culture enables that security is paid due attention throughout the development lifecycle, in every phase from planning to maintaining. Relying on our expert materials, SSDL practices can be implemented on enterprise development platforms (JEE, .NET, etc.).

Hardening development environment

An important aspect of security-aware development is ensuring a reinforced and controlled environment for development and deployment. Measures belonging to this area aim at preventing any unauthorized person to access or modify the source-code.

Designing and supporting other AppSec measures

Having our own regulatory product, the SeQA, and considering our previous assignments as experts, a decade of IAM development and successes in ethical hacking, we are prepared to act as security consultants in processes of software development at corporate companies.

Preparing terms and conditions, guides and technical aid tools

We are at your disposal to draft necessary security regulations, development guides and other technical aid tools to help with compliance audits and in ensuring that development processes meet security and other standards of the given industry (e.g. PCI DSS, CC, etc.).

Audit

When using AppSec/SSA (that is the preventive) approach, our audit services listed below have to be integrated in the development process, either built into the testing phase or employed at some stage prior to delivery, as long as there is still time to apply changes to the application to be delivered without violating testing or shipment protocols. Auditing applications already used in live environments is expedient only in case the developer is able to ensure that the results of review will be employed within a short patch cycle, at reasonable cost or under conditions of warranty.

Code review

In the Cloudbreaker company we prefer white-box testing. This said, we always recommend our clients to have the code of their software reviewed by our expert, if possible from early stages of development onward, but at the latest during testing phase. Code review in most cases does not concern the entire source code. Review is focused on the following aspects:

  • Implementation of security functionality at architectural level,
  • Actual implementation of security functions,
  • Review of presumably vulnerable parts of the application/system.

Ideally, code review is realized in direct contact with developers: we interview the developer about the code, explain how incidental weaknesses and errors can be remedied and check the corrections.

Pre-delivery penetration testing and evaluation

Control and full penetration testing is executed by our specialized partner, Silent Signal.

Review of documentation

Review of installation and maintainance guides according to the requirements of secure operation.


AppSec policy

The introduction to the AppSec policy product we develop, the Security Quality Assurance (SeQA), is coming soon.

About us

The Cloudbreaker Co. consists of enterprise software security experts. The company does not have a legal entity per se, it is a branch of the azd.security Kft. with a specialized interest in application security, development process consulting and vulnerability assessment. The azd.security Kft. used to be known as jMind for a decade as the developer of its IAM solutions, whose innovative IDM software was awarded by renowned european award in 2008.





References

AEGON Hungary, AEGONdirekt.hu, Foxconn, Országleltár.gov.hu, EUB.

The azd.security Kft. (ex-jMind) that is the legal entity behind the cloudbreaker.co has the following references in enterprise security: Budapest Bank (GE Money Hungary), GIRO Zrt., IHM/ITKTB, Hong Kong Immigration Office.








Contacts

The Cloudbreaker Company
+36.309225777
email:  santa // cloudbreaker.co
mail:  azd.security Kft., Budapest
1146, Ajtósi Dürer sor 19-21.,
Dürer tower, 3rd fl.

Social pages:

 -- microblog and videos

Share our pages: