Software vulnerability is responsible for a majority of security breaches. The unstoppable growth of digital transformation makes software security even more important as hackers constantly attack and exploit vulnerable applications to infiltrate an organization. Despite its criticality, software are still buggy and vulnerable to all kind of attacks owing to the lack of software quality assurance and testing.
In contrary to Secure Code Review service where source code is required for security analysis, ECQ offers Application Security Analysis service to test closed source or proprietary software for potential security issues. The service is offered from a Black Box point of view where no source code or internal structure of the software is provided.
The following describes three major activities that are normally involved.
Fuzzing
ECQ carries out fuzzing and fault injection against various interfaces of the targeted application such as protocols, input parameters, or file formats to trigger crashes or unusual responses. Software crashes are then debugged and analyzed for reproducibility and exploitability.
Reverse Engineer
Reverse engineer is the process of decomposing or disassembling the application to understand the inner working of its components, structures, functions, and data flows. This process is important for ECQ to analyze and decide whether a potential crash is actually a security vulnerability.
Exploit Development
For high risk security vulnerability that would result in serious impact such as arbitrary code execution or privilege escalation, ECQ Consultants write Proof-of-Concept (PoC) and develop exploit to validate the vulnerability. Through this exercise, ECQ can assert the true existence of the vulnerability and the difficulty and prerequisite for successful exploitation.