How & Why
IT Product Security Assessment
The security of IT products can be evaluated and tested for various purposes:
- For quality assurance
- To produce meaningful security documentation
- To identify issues that need attention
- With the goal of security certification
- To verify and measure the effects of secure development efforts.
Our lab takes an approach that is flexible and can be tailored to your specific needs. This includes the evaluation of security concepts and early prototypes.
Starting from Requirements
Security is relative. There is no generic set of functions and features a system must have in order to be secure. Therefore, our security evaluations always start with a requirements analysis. What needs to be protected, against whom and what? Only after answering these questions we start testing. This enables us to not just produce a list of bugs but rather a comprehensive security assessment.
Our security evaluations follow a four-step process. Its first step is to understand the product being evaluated. What is it supposed to do, how does it relate to its environment, what needs to be protected? Next, the security requirements are worked out. The basis is threat analysis, combined with an analysis of known attack techniques that might apply to the target of evaluation.
The third step, testing, yields a list of observations, tests, and test results, each documented in such a way that your developers will be able to reproduce it. In the final step, a wrap-up of our findings concludes the evaluation, comprising an assessment of individual issues and of the overall security level. You will also get recommendations how to proceed and improve your product.