nVisium

The Intersection of Software and Security

Improve Your Software Security

Talk to an nVisium Expert Today

Build Reliable and Secure Applications

By integrating security into the development process, nVisium strives to find and help fix security vulnerabilities in our client's software while teaching our clients the importance of incorporating security from the ground up. We offer a range of comprehensive services to ensure that you and your company are protected from cyber threats, including security assessments, software assurance, and training.

Services

Assessments

Application Assessments

A standard assessment combines static and dynamic analysis, which allows our team to evaluate all aspects of an application and test risk mitigation solutions, This service also offers the most precise remediation advice.

IoT Assessments

The Internet of Things presents its own unique set of security challenges and requires a broad skillset for assessing. Our IoT assessments identify weaknesses in an entire IoT architecture including software, hardware, API, and web/mobile components.

Network Assessments

Using a combination of automated and manual techniques, our team will identify risks to your systems and networks that attackers could find and exploit. We will provide detailed information of our findings along with recommendations to help remediation efforts.

Services

Assessments

Mobile Assessments

Our mobile assessments identify weaknesses in how an application interacts with the mobile device, the remote APIs it communicates with, how the application is written, and the libraries it uses to function.

Cloud Assessments

Cloud security assessments of AWS, Azure, or GCP go beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, and IAM policies and permissions. We are an AWS Partner.

Adversarial & Threat Assessments

nVisium performs a wide range of niche assessments beyond the scope of traditional application security. These include, competitive intelligence gathering, opaque or adversarial assessments, network penetration testing, and more. nVisium has gathered a collection of experts in a diverse set of fields, such as DFIR, physical security, and development to provide a variety of assessments tailored to your business’ needs.

Services

Software Assurance

Code Remediation

Our Code Remediation service was designed to ensure you don't end up with a pile of unresolved bugs and security debt once an assessment is complete. We can integrate with your development team and follow their methodology as we submit the fixed code.

Software Assurance Lifecycle

Development of security processes, standards, guidelines, application risk management, dependency management, and other elements to be integrated into the Software Assurance Lifecycle. An in-depth analysis of the current software security program and related initiatives is performed.

Cloud Security Services

Cloud security review of AWS, Azure, or GCP that goes beyond the simple security issues that are easily detected through automation. We get to know the business purpose behind your architecture, review the design, and begin an analysis of security controls, monitoring and alerting, hardening, IAM policies and permissions. We are an AWS Partner.

Services

Software Assurance

Software Security Program

Evaluation of your current software security program and tailored recommendations to improve, grow and mature as an organization. Designed to provide detailed analysis, maturity scoring, and a future roadmap for your software security program based on the OWASP Software Assurance Maturity Model (SAMM) Framework.

Secure Architecture Review

Comprehensive review of the application or system design, including third-party services, data storage and transmission, infrastructure design, and more. The result will not only include a list of security risks, but also guidance to resolve these identified risks.

Security Integration

Integration of manual and automated processes to uncover and remediate security risks.We leverage software tools used for detection of security risks and our secure development expertise to remediate vulnerabilities in your development cycles. Especially critical in DevOps or Agile development shops where speed is paramount and traditional approaches fall short.

Services

Training

On-Demand Training Platform

Our browser based On-Demand Training Platform is the next generation of training. It is made up of engaging language specific content, uses an interactive grading engine, meets PCI DSS requirements and aligns with the OWASP Top 10. It can also be integrated with your organization's Single Sign On (SSO) provider

Services

Training

Instructor-Led Training

We offer instructor-led training, either on-site or virtually, using our state of the art cloud-based training environment. Regardless of the format, our training courses are highly engaging and teach developers how to identify and fix flaws in their own software.

“nVisium’s approach was unique and the team provided actionable findings. They strove to make our application secure and resilient.”

Rich Ronston / Director of IT Security at Deltek

“nVisium has a world class application security consulting team that brings unprecedented knowledge, innovation and leadership to help train, advise and assist our development teams.”

“nVisium performed a hybrid mobile assessment and then took those findings to build a custom security training course for our developers. The training was valuable, engaging and helpful for the developers to understand the importance of building secure software from the ground up. nVisium's training resulted in more secure code across the organization.”

Tony Trummer / Director of Security Engineering at Tinder

As an Application Security Provider we understand

We understand that risk mitigation extends beyond periodic assessments, training, and code remediation. nVisium has the capabilities to assist your team in implementing strategies, technology, and policies that align with your organization and development methodologies.

ALL
BLOG

Why Mobile Application Security?

In an era of constant, persistent connectivity, our relationships are becoming increasingly managed by instant communication channels, powered by mobile technologies. There are now more cellular subscriptions than there are people in the world and an estimated 10 billion mobile connected devices in use. The demarcation between business and personal time is no longer clear. We can use FaceTime, Slack, or have a GoToMeeting with clients on our smartphones, all while taking notes, sending emails, and even perhaps playing a little Trivia Crack on the side. We still love to go on vacations, yet, we still want to remain reachable during our downtime. Since carrying a laptop to the beach is a bit of a pain, we can just throw an iPad or Pixel C device into our beach bag. Our circles, both personal and professional, can now see the stunning backdrop with aquamarine water, sun-drenched sand, or a colorful, tall drink embellished by exotic fruits and a paper umbrella – all thanks to Instagram. Mobile technology enables us to respond from wherever we are, no matter what other things we may be doing. By having this latitude, we are forced into being connected, available, and productive in both our personal and business lives. We now carry a singular, small, smart device that provides us with constant connectivity, allowing us to be tethered to our businesses and personal lives, on-demand. But mixing business with pleasure not only raises privacy concerns, it opens our business networks to new threats. We have hundreds of mobile applications, of both business and personal nature, which are commingled on our devices. In some cases, they share, replicate, and backup data. This forces us into a tenuous balancing act of having to secure our business data and networks from these smart devices, and also to provide our employees with the flexibility to do their work from anywhere, at any time. With the gifts technology brings comes the responsibility to ensure that these devices and applications are used safely. By in large, most consumers aren’t aware of the clear and present dangers. To wit, 28% of mobile device users do not use the built-in password or device protections, yet, 80% of people use their smartphones to shop. A user’s sensitive data is stored in a myriad of locations within installed applications such as: in device memory, on the file system, numerous caches, and other built-in mechanisms like autocomplete or pasteboard. Furthermore, users can be tracked through GPS locations that the device may be tracking in contacts, images, map searches, etc. As such, a stolen or pre-owned device can include more than enough data to steal a person’s identity. Now it’s time to enter the world of mobile application security. I started my foray at a very small boutique consulting firm specializing in application security, as an Application Security Engineer in 2008. At that time, Apple was getting ready to release their second iPhone, the 3G. Google’s first commercially available handset was to be released shortly thereafter. Along with the iPhone 3G, Apple also unveiled their “AppStore” to the world. Although Blackberry had a stronghold on the business market, Apple and Google had other plans. Even back then, I foresaw the critical need to migrate existing application security practices into the mobile world, given the release of the Apple AppStore and the flurry of applications it added to the global market. It took a couple of years for Apple and Google to establish trust with the business world, and by 2010, it was clear that establishing mobile application security expertise to serve our clientele’s needs was required. Just a mere 7-10 years ago, mobile application security was a foreign concept and most clients had not given thought to leave their Blackberry worlds, but I saw the writing on the wall. I decided it was time to start researching and pursuing mobile application security. From the early days of mobile, I wanted to be involved in creating security practices, evangelizing the need for security with developers and contributing my expertise to both the technical and business sides of the house. The Open Web Application Security Project (OWASP) was a great place to help create application security standards to meet the new world order. A small group of us got together on a grassroots basis and drafted the ”Top Ten Risks of Mobile Security” and “Top Ten Controls of Mobile Security.“ We quickly determined that most of the threats and controls had to be focused on the data an application or organization may allow, store, or send to and from these devices. Once these top ten lists were drafted, I moved on to serve as an early reviewer of the “OWASP Mobile Testing Guide.” The Top Ten and Testing Guide have evolved greatly since then, but we had to start somewhere! As an application security practitioner, it is vitally important for me to ensure that businesses and individuals understand the security considerations and the ramifications if they aren’t apparent: The mobile world has evolved into “the internet of things,” or IoT, and I am delighted to be part of this rapidly evolving world with nVisium. I brought my skills and leadership to nVisium back in late 2015 because I believed in the strength of the organization, and the commitment to client’s and their application security needs. A lot of what we do is “break” current architectures to bypass built-in security controls or to expose missing security controls; however, we also help developers and clients understood the root causes and how to fix them. As an example, we were able to successfully bypass authentication and authorization controls to anonymously transfer money from one bank account to another. In another mobile assessment, we were able to successfully perform runtime manipulation and memory analysis of the mobile application to not only find and change the current logged in user’s password but also bypass the TouchID authentication mechanism. As experts in the fields of mobile application security, nVisium draws upon its combined decades of engineering and security experience to produce practical, scalable and repeatable services that help keep our clients’ software secure and businesses safe. We can integrate into your team’s existing development processes and workflows to help build a more robust security program.

CPU Degradation and EC2 Spot Fleets OR Why Don't My Miners Run At 100%?

This post will delve into some unanticipated behavior I was seeing with specific instances within my spot fleet. Namely, I’ll be digging into a non-trivial amount of CPU performance degradation.

Cloud-Native Insights from Kubecon 2017

Kubecon and CloudNativeCon 2017 took place last week in Austin, Texas, and it gave a glimpse into what the future holds for the Kubernetes and cloud-native landscapes. As Kubernetes grows from a single container orchestration engine into an ecosystem of tools and at the core of many cloud platforms, it’s important to understand where the project is headed and how the many members of the Cloud Native Computing Foundation (CNCF) factor in. Will Kubernetes turn into a bunch of forks, like Linux? Or will it remain pure at its core as it’s adopted by many different software players in many different forms? There is an overwhelming number of interesting projects and there are novel approaches to making automation and deploying software better than ever. Let’s take a look at where Kubernetes and cloud-native are going in 2018.

AWS re:Invent reCap

As Jonn Callahan and I sat at AWS re:Invent this year, one thing kept coming up in our conversations: inspiration. Between the exciting new service releases, the innovative use cases, and the great networking events, it was hard to go to bed at night without compiling a list of all of the things we want to build, or how we can modify our current architecture to scale better at a lower cost point.

OWASP Top 10 2007-2017: The Fall of CSRF

The final version of OWASP Top 10 2017 was recently released and it has changed significantly from the 2013 version. Within various release candidates of the 2017 list, there were significant changes as well. While the significant issues with the RC1 release were well-documented and analyzed, RC2 and the final Top 10 have been a course correction for the project and a net-positive overall. Of the major changes in the final version, one of the biggest debates has centered around the removal of Cross-Site Request Forgery (CSRF) and additions of Insecure Deserialization and XML External Entities (XXE). This post focuses on analyzing why we believe it made sense to demote CSRF and focus on lesser “fixed” areas in our code and frameworks.

Migrating to Microservices: Securely & Safely

Microservices allow you to build your applications as services that are deployed and maintained independently. While many software organizations have been using microservices and containers for years, a considerable amount are still in the early phases of adopting and migrating their legacy architectures heading into 2018. Microservices have a lot in common with Service-Oriented Architectures (SOA), but have their own unique properties too. Compared to traditional monolithic software development, microservices speed up our deployments, let us iterate faster, and take full advantage of modern computing platforms. There are great benefits to using microservices, but there are also many architectural complexities to consider as well as cultural and procedural issues to solve. Keeping your architecture secure with decentralized governance can be challenging and requires us to think carefully upfront about how to scaffold security within our core design and habits.

Event-Driven Kubernetes Security: Bringing in the Brigade

Brigade provides event-based scripting for Kubernetes that allows you to build complex pipelines and workflows between your containers and other systems. An open-source project released by the Microsoft Azure team, Brigade itself is written in Go and scripts are written for Brigade in JavaScript with limited access to Node.js APIs. If you like serverless runtimes or Function as a Service (FaaS) technology, then you’ll love Brigade. Servers run as native pods and services on your Kubernetes cluster. Using Brigade, you can chain together functions and sequences of logic triggered by events and executed across containers. The focus of this post is to demonstrate the use-cases for utilizing Brigade to perform basic event-driven tasks in your cluster.

Securing Kubernetes: Going from k8s to k8sec

Continuing our blog series on technologies we love and use internally at nVisium, let’s take a stroll through the park with Kubernetes. We’ve implemented Kubernetes to deploy and scale our containerized microservices, which allows us to magically easily spin up and manage new services and focus on new features rather than managing containers and infrastructure. However, the speed and simplicity of how you can deploy complex applications with a few strokes of the keyboard can also be our enemy if we don’t bake security into our design. This post is the first in an eight-part series that will explore the broad surface and internals of securely designing your systems as powered by Kubernetes.

Play 2.6 Security Analysis

Play 2.6 final was recently released and it includes a ton of awesome new features. Some of the most exciting features include: replacing Netty with Akka HTTP Server as the default backend as well as shipping with experimental HTTP/2 support (finally!). From a security perspective, Play 2.6 introduces new features and settings you want to take advantage of.

I presented my first talk at an InfoSec conference and lived to tell the tale

In this post, I’ll discuss my recent adventure regarding my first InfoSec con presentation. Hopefully, you’ll find the tips littered throughout this blog helpful as you prepare to present for your first time.

Lambda@Edge, CloudFront, and Custom Response Headers

Back in early 2017, AWS released a preview of the new Lambda@Edge functionality. This allowed Lambda triggers to be set on CloudFront and Origin sources requests and responses. Leveraging this functionality, it is now possible to set custom headers on resources cached via CloudFront.

Dude, Where’s My Request Validation?

While in the process of migrating our ASP.NET on-demand training course to ASP.NET Core, I noticed ASP.NET Core 1.0 did not include a similar feature to ASP.NET’s Request Validation.

DEF CON - Is It Really That Scary?

This year marks my third working in Business Development at nVisium, and until now, I’d strategically avoided the infamous Black Hat and DEF CON industry conferences. Like many first-time DEF CON attendees, I really had no idea what to expect.

Of Airbags and Modeling, Part 0

I was in a car accident the last year, and was talking with our CEO Jack after the fact. He asked if the air bags had deployed, which I said they didn’t (in fact, if they had, I probably wouldn’t have been injured). Jack responded with:

Advantages and Disadvantages of Android N+ Network Security Configuration

As more and more applications and manufactures upgrade their Android APIs or device software versions, many security testers will face an interesting dilemma. The days of simply trusting a supplied Certificate Authority (CA) and forwarding all device traffic to an HTTPS proxy are gone. This is due to some major trust changes made in the plumbing of Android N and beyond.

Three Reasons Why You Should Consider Attending the OWASP Summit 2018

After I returned home from the OWASP Summit last week, I started with my typical valuation of my time. I asked myself whether or not this was a good use of a week, did I contribute, what did I learn, and most importantly, would I do it again? The answer to the first and last question was an emphatic “YES!”. After further introspection (completing the feedback loop!), I realized there were three primary reasons I was planning to return for the next summit.

Contact us Today