By integrating security into the development process, nVisium strives to find and help fix security vulnerabilities in our client's software while teaching our clients the importance of incorporating security from the ground up. We offer a range of comprehensive services to ensure that you and your company are protected from cyber threats, including security assessments, software assurance, and training.
A standard assessment combines static and dynamic analysis, which allows our team to evaluate all aspects of an application and test risk mitigation solutions, This service also offers the most precise remediation advice.
The Internet of Things presents its own unique set of security challenges and requires a broad skillset for assessing. Our IoT assessments identify weaknesses in an entire IoT architecture including software, hardware, API, and web/mobile components.
Using a combination of automated and manual techniques, our team will identify risks to your systems and networks that attackers could find and exploit. We will provide detailed information of our findings along with recommendations to help remediation efforts.
Our mobile assessments identify weaknesses in how an application interacts with the mobile device, the remote APIs it communicates with, how the application is written, and the libraries it uses to function.
Cloud security assessments of AWS, Azure, or GCP go beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, and IAM policies and permissions. We are an AWS Partner.
nVisium performs a wide range of niche assessments beyond the scope of traditional application security. These include, competitive intelligence gathering, opaque or adversarial assessments, network penetration testing, and more. nVisium has gathered a collection of experts in a diverse set of fields, such as DFIR, physical security, and development to provide a variety of assessments tailored to your business’ needs.
Our Code Remediation service was designed to ensure you don't end up with a pile of unresolved bugs and security debt once an assessment is complete. We can integrate with your development team and follow their methodology as we submit the fixed code.
Development of security processes, standards, guidelines, application risk management, dependency management, and other elements to be integrated into the Software Assurance Lifecycle. An in-depth analysis of the current software security program and related initiatives is performed.
Cloud security review of AWS, Azure, or GCP that goes beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, IAM policies and permissions. We are an AWS Partner.
Evaluation of your current software security program and tailored recommendations to improve, grow and mature as an organization. Designed to provide detailed analysis, maturity scoring, and a future roadmap for your software security program based on the OWASP Software Assurance Maturity Model (SAMM) Framework.
Comprehensive review of the application or system design, including third-party services, data storage and transmission, infrastructure design, and more. The result will not only include a list of security risks, but also guidance to resolve these identified risks.
Integration of manual and automated processes to uncover and remediate security risks.We leverage software tools used for detection of security risks and our secure development expertise to remediate vulnerabilities in your development cycles. Especially critical in DevOps or Agile development shops where speed is paramount and traditional approaches fall short.
Our browser based On-Demand Training Platform is the next generation of training. It is made up of engaging language specific content, uses an interactive grading engine, meets PCI DSS requirements and aligns with the OWASP Top 10. It can also be integrated with your organization's Single Sign On (SSO) provider
We offer instructor-led training, either on-site or virtually, using our state of the art cloud-based training environment. Regardless of the format, our training courses are highly engaging and teach developers how to identify and fix flaws in their own software.
“nVisium’s approach was unique and the team provided actionable findings. They strove to make our application secure and resilient.”Rich Ronston / Director of IT Security at Deltek
“nVisium has a world class application security consulting team that brings unprecedented knowledge, innovation and leadership to help train, advise and assist our development teams.”CARFAX
“nVisium performed a hybrid mobile assessment and then took those findings to build a custom security training course for our developers. The training was valuable, engaging and helpful for the developers to understand the importance of building secure software from the ground up. nVisium's training resulted in more secure code across the organization.”Tony Trummer / Director of Security Engineering at Tinder
“PeopleNet engaged nVisium to perform an architectural review of one of our in cab devices. The nVisium team was exceptional - very professional, and extremely knowledgeable and engaging. The result was an exceedingly productive and informative review of our device. "Kjell Erickson / Director of Vehicle Platform Software at PeopleNet
We understand that risk mitigation extends beyond periodic assessments, training, and code remediation. nVisium has the capabilities to assist your team in implementing strategies, technology, and policies that align with your organization and development methodologies.Contact us
For the past 20 years, application security has been built into many organization’s development processes and practices. When the Open Web Application Security Project (OWASP) was established in 2001, it bolstered the importance of application security. Since then, application security practices have been built to include many different processes, but they were all built based on a waterfall approach. Some of these different processes are (in no particular order):
In this webinar, nVisium’s CEO, Jack Mannino, explores the Kubernetes attack surface and presents methods to keep your cloud native systems resilient to attack. He demos the cloud-native attack services and show how to build a hardened infrastructure and deploy secure services using Kubernetes.
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this session, we will talk through the various solutions to help build security into the development process.
Gain insight into some of the details of the OWASP Top 10 Call for Data and industry survey, and what we were attempting to learn. This session will provide tips and common pitfalls for structuring vulnerability data and the subsequent analysis. Learn what the data can tell us and what questions are still left unanswered. Uncover some of the differences in collecting metrics in different stages of the software lifecycle and recommendations for handling them.
This talk given at CodeMash 2018 will break down exactly what all of these acronyms and browser-enforced security policies mean. Attendees will learn implementation and long-term strategies in effort to increase security posture without potentially sink-holing your user’s traffic.
With the meteoric rise of cryptocurrencies as an economic entity, morally corrupt folk have begun leveraging them as an easy way to convert popped boxes into money. Specifically, and obviously, this is done by turning compromised machines into cryptocoin miners. Many coins require the use of highly specialized hardware, such as Field-Programmable Gate Arrays (FPGAs) or Application-Specific Integrated Circuits (ASICs), in order for mining to see any kind of realistic return; however, many can be successfully mined using GPUs and even CPUs. Monitoring your AWS environment for malicious insiders or external attackers mining GPU-based coins is fairly straight forward for the vast majority of organizations: set up a CloudWatch event to trigger any time a GPU-enabled EC2 instance is spawned. Most organizations have no legitimate use for GPU-enabled servers, so if one is spun up, it’s almost certainly an event that warrants review. This has lead to attackers preferring to leverage coins that can be mined via CPUs. The most popular choice is Monero (XMR), though Verium (VRM) is another possible candidate.
In an era of constant, persistent connectivity, our relationships are becoming increasingly managed by instant communication channels, powered by mobile technologies. There are now more cellular subscriptions than there are people in the world and an estimated 10 billion mobile connected devices in use. The demarcation between business and personal time is no longer clear. We can use FaceTime, Slack, or have a GoToMeeting with clients on our smartphones, all while taking notes, sending emails, and even perhaps playing a little Trivia Crack on the side. We still love to go on vacations, yet, we still want to remain reachable during our downtime. Since carrying a laptop to the beach is a bit of a pain, we can just throw an iPad or Pixel C device into our beach bag. Our circles, both personal and professional, can now see the stunning backdrop with aquamarine water, sun-drenched sand, or a colorful, tall drink embellished by exotic fruits and a paper umbrella – all thanks to Instagram. Mobile technology enables us to respond from wherever we are, no matter what other things we may be doing. By having this latitude, we are forced into being connected, available, and productive in both our personal and business lives. We now carry a singular, small, smart device that provides us with constant connectivity, allowing us to be tethered to our businesses and personal lives, on-demand. But mixing business with pleasure not only raises privacy concerns, it opens our business networks to new threats. We have hundreds of mobile applications, of both business and personal nature, which are commingled on our devices. In some cases, they share, replicate, and backup data. This forces us into a tenuous balancing act of having to secure our business data and networks from these smart devices, and also to provide our employees with the flexibility to do their work from anywhere, at any time. With the gifts technology brings comes the responsibility to ensure that these devices and applications are used safely. By in large, most consumers aren’t aware of the clear and present dangers. To wit, 28% of mobile device users do not use the built-in password or device protections, yet, 80% of people use their smartphones to shop. A user’s sensitive data is stored in a myriad of locations within installed applications such as: in device memory, on the file system, numerous caches, and other built-in mechanisms like autocomplete or pasteboard. Furthermore, users can be tracked through GPS locations that the device may be tracking in contacts, images, map searches, etc. As such, a stolen or pre-owned device can include more than enough data to steal a person’s identity. Now it’s time to enter the world of mobile application security. I started my foray at a very small boutique consulting firm specializing in application security, as an Application Security Engineer in 2008. At that time, Apple was getting ready to release their second iPhone, the 3G. Google’s first commercially available handset was to be released shortly thereafter. Along with the iPhone 3G, Apple also unveiled their “AppStore” to the world. Although Blackberry had a stronghold on the business market, Apple and Google had other plans. Even back then, I foresaw the critical need to migrate existing application security practices into the mobile world, given the release of the Apple AppStore and the flurry of applications it added to the global market. It took a couple of years for Apple and Google to establish trust with the business world, and by 2010, it was clear that establishing mobile application security expertise to serve our clientele’s needs was required. Just a mere 7-10 years ago, mobile application security was a foreign concept and most clients had not given thought to leave their Blackberry worlds, but I saw the writing on the wall. I decided it was time to start researching and pursuing mobile application security. From the early days of mobile, I wanted to be involved in creating security practices, evangelizing the need for security with developers and contributing my expertise to both the technical and business sides of the house. The Open Web Application Security Project (OWASP) was a great place to help create application security standards to meet the new world order. A small group of us got together on a grassroots basis and drafted the ”Top Ten Risks of Mobile Security” and “Top Ten Controls of Mobile Security.“ We quickly determined that most of the threats and controls had to be focused on the data an application or organization may allow, store, or send to and from these devices. Once these top ten lists were drafted, I moved on to serve as an early reviewer of the “OWASP Mobile Testing Guide.” The Top Ten and Testing Guide have evolved greatly since then, but we had to start somewhere! As an application security practitioner, it is vitally important for me to ensure that businesses and individuals understand the security considerations and the ramifications if they aren’t apparent: The mobile world has evolved into “the internet of things,” or IoT, and I am delighted to be part of this rapidly evolving world with nVisium. I brought my skills and leadership to nVisium back in late 2015 because I believed in the strength of the organization, and the commitment to client’s and their application security needs. A lot of what we do is “break” current architectures to bypass built-in security controls or to expose missing security controls; however, we also help developers and clients understood the root causes and how to fix them. As an example, we were able to successfully bypass authentication and authorization controls to anonymously transfer money from one bank account to another. In another mobile assessment, we were able to successfully perform runtime manipulation and memory analysis of the mobile application to not only find and change the current logged in user’s password but also bypass the TouchID authentication mechanism. As experts in the fields of mobile application security, nVisium draws upon its combined decades of engineering and security experience to produce practical, scalable and repeatable services that help keep our clients’ software secure and businesses safe. We can integrate into your team’s existing development processes and workflows to help build a more robust security program.
Kubecon and CloudNativeCon 2017 took place last week in Austin, Texas, and it gave a glimpse into what the future holds for the Kubernetes and cloud-native landscapes. As Kubernetes grows from a single container orchestration engine into an ecosystem of tools and at the core of many cloud platforms, it’s important to understand where the project is headed and how the many members of the Cloud Native Computing Foundation (CNCF) factor in. Will Kubernetes turn into a bunch of forks, like Linux? Or will it remain pure at its core as it’s adopted by many different software players in many different forms? There is an overwhelming number of interesting projects and there are novel approaches to making automation and deploying software better than ever. Let’s take a look at where Kubernetes and cloud-native are going in 2018.
As Jonn Callahan and I sat at AWS re:Invent this year, one thing kept coming up in our conversations: inspiration. Between the exciting new service releases, the innovative use cases, and the great networking events, it was hard to go to bed at night without compiling a list of all of the things we want to build, or how we can modify our current architecture to scale better at a lower cost point.
The final version of OWASP Top 10 2017 was recently released and it has changed significantly from the 2013 version. Within various release candidates of the 2017 list, there were significant changes as well. While the significant issues with the RC1 release were well-documented and analyzed, RC2 and the final Top 10 have been a course correction for the project and a net-positive overall. Of the major changes in the final version, one of the biggest debates has centered around the removal of Cross-Site Request Forgery (CSRF) and additions of Insecure Deserialization and XML External Entities (XXE). This post focuses on analyzing why we believe it made sense to demote CSRF and focus on lesser “fixed” areas in our code and frameworks.
Microservices allow you to build your applications as services that are deployed and maintained independently. While many software organizations have been using microservices and containers for years, a considerable amount are still in the early phases of adopting and migrating their legacy architectures heading into 2018. Microservices have a lot in common with Service-Oriented Architectures (SOA), but have their own unique properties too. Compared to traditional monolithic software development, microservices speed up our deployments, let us iterate faster, and take full advantage of modern computing platforms. There are great benefits to using microservices, but there are also many architectural complexities to consider as well as cultural and procedural issues to solve. Keeping your architecture secure with decentralized governance can be challenging and requires us to think carefully upfront about how to scaffold security within our core design and habits.
Continuing our blog series on technologies we love and use internally at nVisium, let’s take a stroll through the park with Kubernetes. We’ve implemented Kubernetes to deploy and scale our containerized microservices, which allows us to magically easily spin up and manage new services and focus on new features rather than managing containers and infrastructure. However, the speed and simplicity of how you can deploy complex applications with a few strokes of the keyboard can also be our enemy if we don’t bake security into our design. This post is the first in an eight-part series that will explore the broad surface and internals of securely designing your systems as powered by Kubernetes.
Play 2.6 final was recently released and it includes a ton of awesome new features. Some of the most exciting features include: replacing Netty with Akka HTTP Server as the default backend as well as shipping with experimental HTTP/2 support (finally!). From a security perspective, Play 2.6 introduces new features and settings you want to take advantage of.