The reality is that companies must cover all the angles, including subjecting their systems and software to serious scrutiny and stress testing. Ultimately, the onus lies on software and device vendors.
In keeping with the demands from their existing or potential customers, these vendors are required to perform security assessments (application assessment, penetration tests, or embedded device assessments) against the products they sell. Unfortunately, they often rely on automated scanning tools to identify and enumerate issues without obtaining meaningful results. While automated tools reveal the low-hanging fruit and cost less, more significant issues often go overlooked.
According to Alpha Defense
there's a better way! Alpha Defense is changing the narrative with its focus on performing manual security assessments via source code analysis, reverse engineering (when needed), and providing a real-world perspective on exploitability. An engineering-focused, customer-driven cybersecurity firm, Alpha Defense offers a wide range of penetration testing, security assessment, and incident response services. "We evaluate all our work manually in addition to leveraging automated tools. We utilize the source code to identify issues that an automated scanner would miss," says Bow Sineath , Founder and CTO of Alpha Defense.
Once the issues are identified, Alpha Defense helps vendors remediate and mitigate these issues by prioritizing them based on severity. Alpha Defense's approach to conducting severity assignments is in contrast to other firms that often provide severity information that is obscure and simply not enough to evaluate today's threats effectively. Oftentimes, these firms inflate or report issues that aren't exploitable as "high severity." This drives vendors to spend their development efforts on issues that don't exist. "The traditional way of assigning severity scores without justification/details can create problems for customers in prioritizing fixes or understanding why something is as serious as it is," Sineath notes.
To this end, Alpha Defense provides not only severity scoring that meets the standards of the Common Vulnerability Scoring System (CVSS) but also backs up severity assignments with justification. The company explicitly discusses the reason why a severity score was assigned, along with identifying mitigating factors. As a result, Alpha Defense provides a more real-world, realistic way of categorizing issues for remediation.
We evaluate all our work manually in addition to leveraging automated tools. We utilize the source code to identify issues that an automated scanner would miss
Alpha Defense also tries to provide detailed defense-indepth recommendations wherever feasible. For example, if an application exposes a dangerous function, Alpha Defense identifies and reports it as a defense-in-depth finding to ensure that the function is not inadvertently used in future development. Moreover, given that integrating security testing and best practices into development cycles is difficult, Alpha Defense structures its findings such that the reporting is educational and can be used as a tool for vendors to prevent future issues in their code.
Driven by a Customer-Centric Mindset
Alpha Defense focuses on building long-term partnerships with clients. The company may deliver the report only at the end of an assessment but encourages follow-ups and feedback from customers in the long run. "We are engineers first and foremost, and we provide services that reflect that. We hope to engage our customers' engineering teams and ensure that they understand the issues we identify, how to fix them, and how they can identify similar issues in their code," comments Sineath.
What gives Alpha Defense a competitive edge is its ability to be clear with any caveats that apply to engagements or tasks it performs. "Our perspective is that although we analyze and review the target of evaluation in a few weeks, our experts are in the best position to identify and prevent issues in ongoing development," Sineath notes.
While application and device assessments are a big focus for Alpha Defense, the company also performs other services, owing to its experience in exploitation and reverse engineering to the more organizational/IT tasks, like vulnerability assessments and forensics. The company has recently expanded its operations and has moved its headquarters to the former military base in Fort Devens. With a steadfast commitment to creating a safer, more secure world, Alpha Defense will continue delivering engineering-focused, bespoke services for its partners and clients in the years to come.