The Intersection of Software and Security

Learn More

Improve Your Software Security

Talk to an nVisium Expert Today

Build Reliable and Secure Applications

By integrating security into the development process, nVisium strives to find and help fix security vulnerabilities in our client's software while teaching our clients the importance of incorporating security from the ground up. We offer a range of comprehensive services to ensure that you and your company are protected from cyber threats, including security assessments, software assurance, and training.

nVisium

Services

Assessments

Contact us

Application Assessments

A standard assessment combines static and dynamic analysis, which allows our team to evaluate all aspects of an application and test risk mitigation solutions, This service also offers the most precise remediation advice.

IoT Assessments

The Internet of Things presents its own unique set of security challenges and requires a broad skillset for assessing. Our IoT assessments identify weaknesses in an entire IoT architecture including software, hardware, API, and web/mobile components.

Network Assessments

Using a combination of automated and manual techniques, our team will identify risks to your systems and networks that attackers could find and exploit. We will provide detailed information of our findings along with recommendations to help remediation efforts.

nVisium

Services

Assessments

Contact us

Mobile Assessments

Our mobile assessments identify weaknesses in how an application interacts with the mobile device, the remote APIs it communicates with, how the application is written, and the libraries it uses to function.

Cloud Assessments

Cloud security assessments of AWS, Azure, or GCP go beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, and IAM policies and permissions. We are an AWS Partner.

nVisium

Services

Software Assurance

Contact us

Code Remediation

Our Code Remediation service was designed to ensure you don't end up with a pile of unresolved bugs and security debt once an assessment is complete. We can integrate with your development team and follow their methodology as we submit the fixed code.

Software Assurance Lifecycle

Development of security processes, standards, guidelines, application risk management, dependency management, and other elements to be integrated into the Software Assurance Lifecycle. An in-depth analysis of the current software security program and related initiatives is performed.

Cloud Security Services

Cloud security review of AWS, Azure, or GCP that goes beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, IAM policies and permissions. We are an AWS Partner.

nVisium

Services

Software Assurance

Contact us

Software Security Program

Evaluation of your current software security program and tailored recommendations to improve, grow and mature as an organization. Designed to provide detailed analysis, maturity scoring, and a future roadmap for your software security program based on the OWASP Software Assurance Maturity Model (SAMM) Framework.

Secure Architecture Review

Comprehensive review of the application or system design, including third-party services, data storage and transmission, infrastructure design, and more. The result will not only include a list of security risks, but also guidance to resolve these identified risks.

Security Integration

Integration of manual and automated processes to uncover and remediate security risks.We leverage software tools used for detection of security risks and our secure development expertise to remediate vulnerabilities in your development cycles. Especially critical in DevOps or Agile development shops where speed is paramount and traditional approaches fall short.

nVisium

Services

Training

Contact us

On-Demand Training Platform

Our browser based On-Demand Training Platform is the next generation of training. It is made up of engaging language specific content, uses an interactive grading engine, meets PCI DSS requirements and aligns with the OWASP Top 10. It can also be integrated with your organization's Single Sign On (SSO) provider

nVisium

Services

Training

Contact us

Instructor-Led Training

We offer instructor-led training, either on-site or virtually, using our state of the art cloud-based training environment. Regardless of the format, our training courses are highly engaging and teach developers how to identify and fix flaws in their own software.

“nVisium’s approach was unique and the team provided actionable findings. They strove to make our application secure and resilient.”

Deltek

Rich Ronston / Director of IT Security at Deltek

“nVisium has a world class application security consulting team that brings unprecedented knowledge, innovation and leadership to help train, advise and assist our development teams.”

CARFAX

CARFAX

“nVisium performed a hybrid mobile assessment and then took those findings to build a custom security training course for our developers. The training was valuable, engaging and helpful for the developers to understand the importance of building secure software from the ground up. nVisium's training resulted in more secure code across the organization.”

Tinder

Tony Trummer / Director of Security Engineering at Tinder

“PeopleNet engaged nVisium to perform an architectural review of one of our in cab devices. The nVisium team was exceptional - very professional, and extremely knowledgeable and engaging. The result was an exceedingly productive and informative review of our device. "

PeopleNet

Kjell Erickson / Director of Vehicle Platform Software at PeopleNet

As an Application Security Provider we understand

We understand that risk mitigation extends beyond periodic assessments, training, and code remediation. nVisium has the capabilities to assist your team in implementing strategies, technology, and policies that align with your organization and development methodologies.

Contact us

Azure Guest Users - Risks and Security Considerations

Microsoft Azure has a tenant-level feature that allows all Azure Active Directory (AAD) members to create and invite guest users. The official name for this feature is Azure Active Directory B2B. The idea is simple: say your company needs to collaborate with an external vendor or a consultant, and you need to show them some nifty app demos you have set up in your company’s Azure tenant. You don’t want to make the app available for everyone on the internet to see. An easy solution to this problem is to invite them into your tenant as a guest user. Once you have sent them an invite, you can pull the guest user’s profile in AAD and assign them access to subscriptions and grant them roles as needed. This is indeed very convenient. As it is often the cases with convenient features, this comes with its own set of risks.

Sep 04

Intro to Hardware Hacking - Dumping your First Firmware

IoT security is an exciting field that opens up the doors to a lot of interesting research. When you dive into the rabbit hole of hardware security, you’ll encounter a whole array of engaging and varied challenges: Bluetooth sniffing, Software-Defined Radio, ARM exploitation, reverse engineering, and a whole lot of hardware tinkering and breaking. However, knowing where to start can be confusing and difficult, so we will help you get started by showing you how to dump firmware from IoT device.

Aug 07

How We Built It -- CORS and AWS API Gateway

This post is the first in a series entitled: “How We Built It.” The goal is to highlight how nVisium, a security-centric company, took the lessons learned from years of application security work and applied them towards building secure code within our own software platform. In this first post, I’ll be exploring how we built a robust Cross-Origin Resource Sharing (CORS) implementation within an AWS Lambda and API Gateway serverless architecture. Specifically, I’ll demonstrate how we handle whitelisting a set of domains, as opposed to just a single domain.

Jul 10

Adapting Agile for Internal Security Operations

How we do software development have been evolving. This is not just because we no longer have to worry about maintaining clunky on-prem servers and can instead write serverless applications and push code to a cloud service like AWS or Azure. How we collaborate with other developers, plan, and schedule work has been changing as well. As more companies are adopting new technologies, so are they making agile the default methodology for getting work done, even if agile means something slightly different to everybody. However, despite all the talk about DevOps and agile, most security teams of any size are still operating in the same waterfall fashion.

Jun 12

Benefits of Threat Modeling

Threat modeling is one of the most under-appreciated and misunderstood activities in application security. I always have mixed feelings when it comes to performing threat modeling. I like the idea of threat modeling and appreciate the value it brings to secure an application. However, the process is lengthy and time consuming. Threat modeling requires patience, knowledge, skills, and time. The process requires hours of focused discussion between the application and security teams to understand the application from inside out. The most tedious thing about threat modeling is maintaining the documentation and writing reports. I have been engaged in a few threat model assessments, and each one was different depending on the size and complexity of the application as well as the client’s requirement. I do not have any expertise in threat modeling. In the past, the thought of performing a threat model has made me nervous. For these reasons, I decided to get out of my comfort zone and write about it. This blog is my first step in making an effort to research, learn, and eventually, possess skills to be able to perform a threat modeling assessment myself.

May 30

Dev Secrets and the ASP.NET Core Secret Manager

When performing an application security assessment, one of the things we look for are sensitive secrets committed to source control. Most web applications rely on secrets to perform security operations. Those secrets could include API keys, database credentials, third-party service credentials, encryption keys, and more. The disclosure of these secrets could lead to unauthorized third-party service access or even complete system compromise.

May 02

Django vs. the OWASP Top 10 - Part 1

Part 1 of this series will focus on Django’s built-in mitigations for some of the most common risks listed in the OWASP Top 10, while part 2 will focus on misconfigurations and insecure coding practices. For those unaware, the OWASP Top 10 is a list of the most common web application security weaknesses found in real-world applications and APIs. The risks are listed in order from A1 - A10, with A1 being the most prevalent risk. The 2017 version of the OWASP Top 10 and Django 2.2 pseudocode is used for the examples contained in this blog post.

Apr 18

The Case of the Missing API Docs

Have you ever purchased an IoT device, signed up for an application/service, or simply wanted to know how something worked, but were surprised when you found out that there was no documented API? First and foremost, I am taking a step back here from my traditional security practitioner position. Meaning, I am not talking about looking for admin-level or super secret root services; instead, I am merely talking about trying to figure out how an application or device works so that you can interface with it. You may have heard of IFTTT or Apple’s Shortcuts App; this post is about how you can start the process of creating your own integrations, even if the API isn’t officially supported. Another word of caution though, any time you integrate with an undocumented, unsupported API, you are opening yourself up to the possibility that the services/endpoints may change drastically with zero notice. This means your work may need to be tweaked, or may even be for naught. This is the risk you take when trying to hack your way into uncharted territory.

Mar 21

Optimizing a Security Assessment Engagement

Having examined real-world threats, the regulatory environment, shareholder demands, customer concerns, and pressure from the C-suite, you have wisely decided to engage a trusted partner to perform a security assessment. This might be an assessment of a web or mobile application, a cloud environment, or a device destined to join the "Internet of Things." Regardless of what the scope will be, you surely want to maximize the return from your investment in the assessment.

Mar 07

The Azure Security Model, Part 1 - Access Control Basics

Setting foot in the vast cloud kingdom of Microsoft Azure can be somewhat of a daunting and, at times, confusing experience. This is particularly true if you are used to relying on Amazon’s AWS products for developing and working with cloud applications. First off, there is a myriad of new concepts to learn and to map out: tenants, subscriptions, resources, services, etc. Then there is Azure Active Directory. Do you really need it? Can’t you just create Access Control (ACL)lists as you would in AWS? These are just some questions you may find yourself asking as you scroll (horizontally) through the Azure portal.

Feb 21

AppSec In Your Clouds

As cloud infrastructure and platform (IaaS/PaaS) providers differentiate their offerings, many organizations are adopting a multi-cloud strategy to leverage the best of what each world offers. Securing a multi-cloud environment presents challenges, as we need to ensure our core controls are replicated across different stacks. We need to protect serverless functions, container orchestration systems, Identity & Access Management (IAM), big data workloads, DevOps pipelines, and secure networking & content delivery across different operating environments.

Feb 13

Secure Development Training – Garnering Engagement

Not too many people will argue against the benefits of training. Training helps us improve how we do our jobs. We can have long discussions about which styles of training are most beneficial and which are not. We can talk about learning techniques and how to get students to retain more knowledge and complete training courses with more practical benefits that are measurable in the real world. However, all of that is mostly irrelevant if no one shows up for your training. If you can’t get your students to engage in the training, it’s all for naught.

Jan 23

Angular and AngularJS for Pentesters - Part 2

In our previous blog post, we discussed how Angular and AngularJS applications are generally structured from an application security point of view. This time, we will explore different ways in which we can dynamically debug Angular applications whether the code is minimized or not. But why would that matter to application security researchers? By debugging Angular applications from the browser console, we can manipulate functions and scope variables to our liking. This can allow us to trigger behaviors that can help us discover front and back-end bugs, such as missing function level access control and insecure direct object reference. Furthermore, the techniques shown in this post can make it easier to examine bundled and minimized Angular code by leveraging tools provided by your browser’s developer tools.

Jan 17
Contact us Today
Amazon Web Services .NET Java Android iOS golang nodejs Python Ruby on Rails