> Side Channel Analysis
Ready-to-use side channel tools to assess cryptography algorithms.
> Laser & EM Fault Injection
Make sure your chip withstands different techniques of physical fault injections.
> Firmware Security Analysis
Qualify embedded code binaries without physical devices and benches.
> Security Failure Analysis
Photoemission analysis to explore internal information in a chip.
> Vulnerability Research
Dynamic analyses at a system level for investigating potential vulnerabilities.
> Data Science Platform
esDynamic is a complete data focused platform to leverage the know-how of your team for complex analyses.
> esFirmware Engine
Assess the security of the firmware of IoT devices against logical and physical attacks.
> esReven Engine
Record and replay vulnerability researches within reverse engineering processes and tools.
> Cybersecurity Training
Grow your expertise with training modules driven by a coach.
> Hardware Evaluation Lab
High-end laboratory capabilities specialized in hardware security evaluations.
> Mobile App Security
Know the threats and risks of your Mobile App.
Integrate the security protections verification in your CI/CD pipeline.
> Mobile App Security Testing (MAST)
esChecker SaaS: automating the security testing of your mobile app binary.
> Mobile App Penetration Testing
Testing the resiliency of your Mobile App, SDK or RASP tool.
> Backend Penetration Testing
Testing the resiliency of your Web App, API or Backend Systems.
> Coaching for Mobile App Developers
Providing insights into the mobile app threats and how attackers work by a learning-by-doing approach.
The third article of our series of App Sec and DevSecOps experts is now live. 👇
Here's a summary of our discussions:
💬 Hi Giovana, could you please introduce yourself?
Hi! I'm Giovana Assis, Brazilian cybersecurity professional with 12 years of experience and nowadays I work as an Application Security Tech Manager at Nubank.
💬 Do you feel that the market is getting more and more mature to switch from DevOps to DevSecOps?
Yes, we can notice that companies around the world are more and more aware of the cyber threats that exist and understand the importance of cybersecurity.
Considering that, they began to realize the benefits of having security integrated into the DevOps pipeline and how that can be more agile than the regular approach.
💬 With your experience, could you list the advantages of an automated step in the security testing, on top of all the manual tests (code review, pentest, etc.)
I think that the major gains are related to time, reduced labour effort and the coverage of 0-day vulnerabilities.
At the same time that no automated test will be able to achieve some results that manual testing can, such as business-logic-related tests.
💬 With all the new tools on the market, what would be the best stack?
It will depend on your company's maturity, but I would recommend the use of IAST/SAST (Interactive / Static Application Security Testing) for coding, security tools for the codebase itself (e.g. GHAS, GitHub Advanced Security), container security tools and, last but not least, use of your cloud-provider tools to improve its security.
💬 When running security testing on mobile apps, do you prefer the scalability of an emulator or the accuracy of a real device?
It depends on what stage of it I'm in, for the early test stages I would use an emulator, but I think is very important to test and validate the mobile app at the end stage of development in a real device.
💬 What do you think of the OWASP MASVS? Should it be the security standard in all organisations?
I really like OWASP projects, they're often very complete and approach important issues. Personally, I've never used MASVS, just the ASVS itself and really like it, but I think that organisations should use it as a baseline and adjust it to their business and/or reality.
💬 Have you followed their recent work on the OWASP MASVS refactoring?
No, I've not, but I'll take a look in it, I'm curious about it.
💬 What are your thoughts when it comes to SAST v. DAST? Any good practice?
I don't think that it should be a versus approach, I think that they're complimentary to each other. SAST can identify vulnerabilities and issues during the coding and the DAST can identify them after the app is already in the final stages or even in prod, simulating access that the client or the attacker would have.
The best approach, in my opinion, is to use them both and take advantage of their strengths.
💬 Do you think mobile app binaries are enough protected although they are publicly available in app stores and potentially subject to reverse-engineering?
I think that we'll never have enough protection, there will always be new attacks vectors, and new ways to surpass the existent protections, so the best practice, in this case, is to not expose too much info/data in the mobile app and use stronger controls/protection/validation in the backend. Sure you can use mTLS or other approaches to increase security in the communication, but it's no simple task.
💬 Could you recommend some security professionals that you'd like us to interview?
In mobile security subject I would definitely recommend:
Regarding AppSec/DevSecOps I would recommend:
And if you are looking for someone to talk about cryptography, I would definitely recommend Talita Rodrigues.
💬 Interested in eShard's solution for MAST: esChecker. Feel free to request a free trial