esDynamic
Manage your attack workflows in a powerful and collaborative platform.
Expertise Modules
Executable catalog of attacks and techniques.
Infrastructure
Integrate your lab equipment and remotely manage your bench.
Lab equipments
Upgrade your lab with the latest hardware technologies.
Side Channel Attacks
Evaluate cryptography algorithms from data acquitition to result visualisation.
Fault Injection Attacks
Laser, Electromagnetic or Glitch to exploit a physical disruption.
Security Failure Analysis
Explore photoemission and thermal laser stimulation techniques.
Evaluation Lab
Our team is ready to provide expert analysis of your hardware.
Starter Kits
Build know-how via built-in use cases developed on modern chips.
Cybersecurity Training
Grow expertise with hands-on training modules guided by a coach.
esReverse
Static, dynamic and stress testing in a powerful and collaborative platform.
Extension: Intel x86, x64
Dynamic analyses for x86/x64 binaries with dedicated emulation frameworks.
Extension: ARM 32, 64
Dynamic analyses for ARM binaries with dedicated emulation frameworks.
Penetration Testing
Identify and exploit system vulnerabilities in a single platform.
Vulnerability Research
Uncover and address security gaps faster and more efficiently.
Malevolent Code Analysis
Effectively detect and neutralise harmful software.
Digital Forensics
Collaboratively analyse data to ensure thorough investigation.
Software Assessment
Our team is ready to provide expert analysis of your binary code.
Cybersecurity training
Grow expertise with hands-on training modules guided by a coach.
Semiconductor
Security Labs
Governmental agencies
Academics
Why eShard?
Our team
Careers
Youtube
Gitlab
Github
The third article of our series of App Sec and DevSecOps experts is now live. π
After meeting with Michelle Mesquita from EY, now it's time to interview Giovana Assis, AppSec Tech Manager at Nubank.
Here's a summary of our discussions:
Β
π¬ Hi Giovana, could you please introduce yourself?
Hi! I'm Giovana Assis, Brazilian cybersecurity professional with 12 years of experience and nowadays I work as an Application Security Tech Manager at Nubank.
Β
π¬ Do you feel that the market is getting more and more mature to switch from DevOps to DevSecOps?
Yes, we can notice that companies around the world are more and more aware of the cyber threats that exist and understand the importance of cybersecurity.
Considering that, they began to realize the benefits of having security integrated into the DevOps pipeline and how that can be more agile than the regular approach.
Β
π¬ With your experience, could you list the advantages of an automated step in the security testing, on top of all the manual tests (code review, pentest, etc.)
I think that the major gains are related to time, reduced labour effort and the coverage of 0-day vulnerabilities.
At the same time that no automated test will be able to achieve some results that manual testing can, such as business-logic-related tests.
Β
π¬ With all the new tools on the market, what would be the best stack?
It will depend on your company's maturity, but I would recommend the use of IAST/SAST (Interactive / Static Application Security Testing) for coding, security tools for the codebase itself (e.g. GHAS, GitHub Advanced Security), container security tools and, last but not least, use of your cloud-provider tools to improve its security.
Β
π¬ When running security testing on mobile apps, do you prefer the scalability of an emulator or the accuracy of a real device?
It depends on what stage of it I'm in, for the early test stages I would use an emulator, but I think is very important to test and validate the mobile app at the end stage of development in a real device.
Β
π¬ What do you think of the OWASP MASVS? Should it be the security standard in all organisations?
I really like OWASP projects, they're often very complete and approach important issues. Personally, I've never used MASVS, just the ASVS itself and really like it, but I think that organisations should use it as a baseline and adjust it to their business and/or reality.
Β
π¬ Have you followed their recent work on the OWASP MASVS refactoring?
No, I've not, but I'll take a look in it, I'm curious about it.
Β
π¬ What are your thoughts when it comes to SAST v. DAST? Any good practice?
I don't think that it should be a versus approach, I think that they're complimentary to each other. SAST can identify vulnerabilities and issues during the coding and the DAST can identify them after the app is already in the final stages or even in prod, simulating access that the client or the attacker would have.
The best approach, in my opinion, is to use them both and take advantage of their strengths.
Β
π¬ Do you think mobile app binaries are enough protected although they are publicly available in app stores and potentially subject to reverse-engineering?
I think that we'll never have enough protection, there will always be new attacks vectors, and new ways to surpass the existent protections, so the best practice, in this case, is to not expose too much info/data in the mobile app and use stronger controls/protection/validation in the backend. Sure you can use mTLS or other approaches to increase security in the communication, but it's no simple task.
Β
π¬ Could you recommend some security professionals that you'd like us to interview?
In mobile security subject I would definitely recommend:
Regarding AppSec/DevSecOps I would recommend:
And if you are looking for someone to talk about cryptography, I would definitely recommend Talita Rodrigues.
Β
π¬ Interested in eShard's solution for MAST: esChecker. Feel free to request a free trial
Β