Embed Size (px)
Citation preview
IOT APPLICATION MOBILE CLOUD NETWORK
Professional Services OverviewInternet of Things (IoT) Security Assessment and Advisory Services
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Company Overview
2
HIS
TORY
HIS
TORY
ATTR
IBU
TES
PRO
POSI
TIO
N
‣ Superior technical prowess
‣ Comprehensive reporting
‣ Trusted business acumen
‣ Time-tested methodologies
‣ Praetorian provides end-to-end Internet of Things (IoT) penetration testing and security assessment services that help organizations successfully balance risk with time-to-market pressures.
ATTR
IBU
TES
PRO
POSI
TIO
N
Healthcare Technology
Finance
AutomotiveManufacturing
Energy
FOCUSED ON FORTUNE 1,000 & VENTURE-BACKED
STARTUPS
‣ Founded in 2010
‣ Headquartered in Austin, TX
‣ Self-funded
‣ Profitable since inception
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) Security Assessments, from Chip to Cloud
3
INTERNET OF THINGS END-TO-END SECURITY
Gain confidence that your Internet of Things (IoT) devices and data are securePraetorian provides end-to-end Internet of Things (IoT) penetration testing and security assessment services that help organizations successfully balance risk with time-
to-market pressures. Our solutions provide coverage across technological domains, including embedded devices, firmware, wireless communication protocols, web and mobile applications, cloud services and APIs, and back-end network infrastructure.
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
APPLICATIONS We actively analyze web and mobile applications for any weaknesses, technical flaws, or vulnerabilities.
CLOUD SERVICES It is critical that cloud services and APIs be tested to determine whether they can be abused by attackers.
INFRASTRUCTURE Is backend network infrastructure that is supporting your Internet of Things product ecosystem secure?
EMBEDDED DEVICES Identify physical and logical security threats to the
embedded systems in IoT product ecosystem.
DEVICE FIRMWARE We help ensure hardware and chip makers have sufficiently addressed IoT firmware insecurities.
WIRELESS PROTOCOLS Validate security and configuration of wireless
communication such as ZigBee, 6LoWPAN, and BLE.
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Professional Security Assessment Services Overview
4
Based on IEEE Computer
Society estimates
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
OWASP Application Security Verification Standard (ASVS)
5
Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application.
Cursory
LEVEL 0
Opportunistic
LEVEL 1
Standard
LEVEL 2
Advanced
LEVEL 3
Level 0 (or Cursory) is an optional certification, indicating that the application has passed some type of verification.
Level 1 (or Opportunistic) certified applications adequately defend against security vulnerabilities that are easy to discover.
Level 2 (or Standard) verified applications adequately defend against prevalent security vulnerabilities whose existence poses moderate-to-serious risk.
Level 3 (or Advanced) certified applications adequately defend against advanced security vulnerabilities, and demonstrate principles of good security design.
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
OWASP Application Security Verification Standard (ASVS)
6
‣ Authentication
‣ Session Management
‣ Access Control
‣ Malicious Input Handling
‣ Cryptography at Rest
‣ Error Handling and Logging
‣ Data Protection
‣ Communications Security
‣ HTTP Security
‣ Malicious Controls
‣ Business Logic
‣ File and Resource
‣ Mobile
‣ Embedded Devices
OWASP ASVS defines the following security requirements areas:
Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application.
NEW
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
OWASP ASVS for Internet of Things (IoT) Testing Coverage Matrix
7
OWASP ASVS defines specific test cases that are in scope for each ASVS Level
Coverage Key
Excellent Good Fair
Inadequate
Security Control Group Level 1: Opportunistic Level 2: Standard Level 3: Advanced
Architecture, Design, Threat Modeling 1 / 11 8 / 11 11 / 11
Authentication Controls 17 / 26 24 / 26 26 / 26
Session Management Controls 11 / 13 13 / 13 13 / 13
Access Control 7 / 12 11 / 12 12 / 12
Malicious Input Handling 10 / 21 20 / 21 21 / 21
Cryptography at Rest Controls 2 / 10 7 / 10 10 / 10
Error Handling & Logging Controls 3 / 13 9 / 13 13 / 13
Data Protection Controls 4 / 11 8 / 11 11 / 11
Communications Security Controls 7 / 13 9 / 13 13 / 13
HTTP Security Controls 6 / 8 8 / 8 8 / 8
Malicious Controls 0 / 2 0 / 2 2 / 2
Business Logic Controls 0 / 2 2 / 2 2 / 2
Files and Resources Controls 7 / 9 9 / 9 9 / 9
Mobile Controls 7 / 11 10 / 11 11 / 11
Web Services Controls 7 / 10 10 / 10 10 / 10
Configuration Controls 1 / 10 5 / 10 10 / 10
Embedded Device Controls 10 / 29 20 / 29 29 / 29NEW
To help product teams address emerging security challenges, Praetorian has created research-driven evaluation methodologies that incorporate guidance from the OWASP Application Security Verification Standard (ASVS), which normalizes the range in coverage and level of rigor applied to each application.
With its 3 levels of testing rigor, 17 security control categories, and 211 defined test cases, this approach allows our team to meet your unique testing and budget goals by offering tiered pricing based on the comprehensiveness of the security review.
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
The Diana Platform — Continuous Security Unified Through Software
8
‣ Extends security evaluations that represent a single, snapshot in time with Diana’s subscription model that offers continuous security analysis
‣ Using multiple analysis methods to identify new vulnerabilities introduced by incremental code movement, Diana is designed to provide on-going, comprehensive, and efficient security coverage
‣ The Diana Platform enables you to:
✓ Track vulnerabilities to closure from identification to remediation
✓ Benchmark your results over time and across application portfolio
✓ Integrate with 3rd-party bug tracking software and CI/CD pipelineBug TrackingEX
PORT
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
9
Find out why 97% of our clients are highly likely to recommend Praetorian. Based on all-time Net Promoter Score (NPS) of 86
Gain confidence that your Internet of Things devices and data are secure.We help product teams focus on innovation by helping solve their complex security challenges.
Learn More About Our Approach
and expertise https://www.praetorian.com/expertise/internet-of-things
EXCELLENCE IN SERVICE
IOT APPLICATION MOBILE CLOUD NETWORK
We Are the Security ExpertsSolving Your Cybersecurity Problems
