esDynamic
Manage your attack workflows in a powerful and collaborative platform.
Expertise Modules
Executable catalog of attacks and techniques.
Infrastructure
Integrate your lab equipment and remotely manage your bench.
Lab equipments
Upgrade your lab with the latest hardware technologies.
Side Channel Attacks
Evaluate cryptography algorithms from data acquitition to result visualisation.
Fault Injection Attacks
Laser, Electromagnetic or Glitch to exploit a physical disruption.
Security Failure Analysis
Explore photoemission and thermal laser stimulation techniques.
Evaluation Lab
Our team is ready to provide expert analysis of your hardware.
Starter Kits
Build know-how via built-in use cases developed on modern chips.
Cybersecurity Training
Grow expertise with hands-on training modules guided by a coach.
esReverse
Static, dynamic and stress testing in a powerful and collaborative platform.
Extension: Intel x86, x64
Dynamic analyses for x86/x64 binaries with dedicated emulation frameworks.
Extension: ARM 32, 64
Dynamic analyses for ARM binaries with dedicated emulation frameworks.
Penetration Testing
Identify and exploit system vulnerabilities in a single platform.
Vulnerability Research
Uncover and address security gaps faster and more efficiently.
Malevolent Code Analysis
Effectively detect and neutralise harmful software.
Digital Forensics
Collaboratively analyse data to ensure thorough investigation.
Software Assessment
Our team is ready to provide expert analysis of your binary code.
Cybersecurity training
Grow expertise with hands-on training modules guided by a coach.
Semiconductor
Security Labs
Governmental agencies
Academics
Why eShard?
Our team
Careers
Youtube
Gitlab
Github
I had the privilege to discuss with Suphi Cankurt, founder of AppSec Santa.
A few weeks ago, Suphi interviewed Hugues Thiebeauld, eShard's CEO to present our vision of the MAST market. You can access the esChecker's page on AppSec Santa's website or direct on esChecker.
It's now our turn to get Suphi's point of view.
Suphi, who are you, and what is the genesis of AppSec Santa?
The cybersecurity teams are struggling to keep up with the speed of agile development. There is a 100:1 developer/cybersecurity engineer ratio, so you have to work smarter and faster, and It starts with having the right tools.
At AppSec Santa, I am helping companies to test fast and choose “the right” application security tools. You can find the list of DAST tools on my website.
In the AppSec Testing world, we feel that Mobile Apps are late and less mature. What is your opinion on this?
In 2014, Gartner was saying that more than 75% of mobile applications failed basic security tests, and I think the situation is way better now. Mobile security testing started to popular in 2017, and It usually takes 5-7 years to be mainstream, and now we are here.
With your experience, what problems should the ideal MAST tool solve? How?
Mobile security testing requires a specific domain experience which is not common, and an ideal MAST tool should bring this to the team.
It should be able to execute the app in a real-device state and run attacks as a hacker does to cover certain situations on jailbreak/rooted devices. It is not possible to find those issues with source code scanning.
Mobile App Sec is a place where Security Experts and Mobile Engineers meet. Do you have an anecdote to be shared about this relationship, which can be harsh sometimes?
I believe the dance between the engineering and security team is more of a collaboration and strategy issue than a technical one. When the security team positions itself as the guardian of the company and dictates rules/policies to the engineering team without having their involvement in the reasoning/decision process.
What happens is that the development team will see these processes as a bottleneck and look for ways to bypass them. We all know “looks good to me” comments to management-enforced code reviews.
Pentesters tend to not like MAST tools. Do you see these tools as a threat or an opportunity for them?
I think this frustration comes from having experiences with half-baked technologies. It is like calling your bank and getting stuck in call centre automation and wasting 5 min before reaching a real person to get it done.
If your tool delivers what it promises without causing you extra hassle with false positives, I think no pentester will battle with this.
Could you share some resources (blogs, YouTube channels, events, books, etc.), other than AppSecSanta, about Mobile App Security Testing?
There is Wojciech Reguła ’s blog, and I am a big fan of academic papers, for example, Comparative analysis of Android and iOS from a security viewpoint.