We, at Blueinfy, a company founded by globally recognised security experts and researchers, specialize in software security with a clear strategic focus. We add value to your organization by virtually becoming your extended arm in securing your applications with best-in-class quality and efficiency. We achieve this through continually evolving state-of-the-art know-how built by enhancing methodologies, evolving tools and researching technologies. This competence is derived from the three pillars of research, training and assessment experience reinforcing each other in our committed organizational environment. Our dedicated team of certified experts has years of focused experience in penetration testing & code review including services provided to global Fortune 500 customers as well as global security assessment companies. Our team’s customer focus and nimble footedness also enable us to provide superior and faster customer service.
WHAT WE OFFER :
90% of applications have one or more types of vulnerabilities that pose major threats from attackers who may exploit them to breach their security. Since automated scanning proves inadequate in uncovering all exploitable vulnerabilities, our Application Penetration Testing Service complements this with manual testing powered by expert human intelligence. It is a Black-Box assessment approach.
We :
Our Service Engagement Options :
HOW DO WE DO THIS :
Our methodology
(detailed here) is implemented using systems and processes developed based on years of focused experience in assessment, research and training in DAST.
WHY US :
Best-in-class Capability arising from :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
Mobile applications are inherently complex in nature. They are composed of two broad components – one running on the phone/mobile devices which is responsible primarily for presentation and client side logic and the other running on the server side which is responsible for business logic. We carry out an extremely thorough and accurate assessment of both components and discover potential vulnerabilities that can be exploited by attackers. By analyzing the nature of the application and the platform, we create a threat model, attack vectors and various exploit scenarios. We have developed our own tools and scripts to perform reverse engineering, protocol analysis and fuzzing in order to discover vulnerabilities. It is imperative to analyze architecture, design and implementation of mobile application and various access controls and services before launching the application.
We :
Our Service Engagement Options :
HOW DO WE DO THIS :
Our methodology (detailed here) is implemented using systems and processes developed based on years of focused experience in assessment, research and training in DAST.
WHY US :
Best-in-class Capability arising from :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
90% of applications have one or more types of vulnerabilities that pose major threats from attackers who may exploit them to breach their security. The root cause of these vulnerabilities resides in the code layer. Source code written poorly from a security standpoint opens up exploitable vulnerabilities. Our Code Review Service uses semi-automated tools in combination with expert human intelligence. It is a White-Box assessment approach using SAST methodology.
We :
Our Service Engagement Options :
HOW DO WE DO THIS :
Our methodology (detailed here) is implemented using systems and processes developed based on years of focused experience in assessment, research and training in SAST.
WHY US :
Best-in-class Capability arising from :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
90% of applications have one or more types of vulnerabilities that pose major threats from attackers who may exploit them to breach their security. Before writing the code and building the application it is necessary to review the architecture security of the application. We provide this service to our customers thus enabling them to identify possible threats and build defenses right at the beginning of the SDLC. We create a report identifying the architecture layer weaknesses and suggesting a possible defense plan for the application. Developers can use this report to implement mitigation strategies to build a solid and secure application.
We :
WHY US :
Best-in-class Capability arising from :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
An increasing number of companies these days are using agile development methodology for their applications to better serve business requirements. Here, the number of release cycles per unit time is very high and one of the biggest challenges for their security teams is to ensure security assessment of these applications in pace with their rapid development in a highly dynamic world. To address this challenge, we have designed a special service suited to review applications developed with agile methodology needing far more frequent security attention compared to traditional applications.
We :
Our Service Engagement Options :
HOW DO WE DO THIS :
Our methodology (detailed here) is implemented using systems and processes developed based on years of focused experience in assessment, research and training in DAST.
WHY US :
Best-in-class Capability arising from :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
It has been realized by many corporates that “training and awareness” is the first line of defense for application security. Developers, QA testers, Software Architects, Administrators and Executives need to empower themselves with solid knowledge of software security. It is imperative to have knowledge of attack vectors, exploits and defense strategies at all levels of corporate staff.
Besides trainings delivered at industry accepted conferences, we also provide unique customized trainings for corporates that meet their exact needs. We develop such customized trainings based on a thorough study of the technologies, libraries and methodologies used by the customer.
Our training courses have been developed by an author of popular books like “Web Hacking”, “Hacking Web Services” and “Web 2.0 Security - Defending Ajax, RIA and SOA”. These training courses address the current needs for application layer security. The courses are “hands on” and can be conducted in 2 to 4 days of training sessions. These popular courses have been conducted world-wide and have gained appreciation from various corporate customers.
We offer the following trainings :
WHY US :
Best-in-class Capability :
Customer Centric Commitment :
WHAT WE OFFER :
90% of applications have one or more types of vulnerabilities that pose major threats from attackers who may exploit them to breach their security. Hence applications like web, mobile and APIs need one-time and/or on-going scanning to identify such potential vulnerabilities. This service provides automated scanning, monitored and validated with minimum essential well-configured human intelligence. This produces accurate and actionable results for mitigation and defence with respect to possible vulnerabilities.
We :
Our Service Engagement Options :
HOW DO WE DO THIS :
Our methodology (detailed here) is implemented using automated scanners (combination of open source, commercial and proprietary) backed with a minimum of human intelligence using systems and processes developed based on years of focused experience in assessment, research and training in DAST.
WHY US :
Best-in-class Capability :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
Companies are using automated scanners (DAST/SAST) regularly and these generate exhaustive reports with a large list of vulnerabilities. Almost always, these generated lists contain a large number of false positives, both in DAST and SAST scans. These false positives create a lot of unnecessary confusion for developers and administrators. It is imperative to remove these false positives to build an accurate actionable report for the development team. In this service, we provide false positive removal and report enhancement on any previously carried out automated scan done by commercial/open-source products/tools/service.
We :
Our Service Engagement Options :
WHY US :
Best-in-class Capability :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
WHAT WE OFFER :
The SaaS (Software As A Service) based product companies extend their application features by providing the support of Marketplace applications. The Marketplace applications facilitate exchange between creators and users that are built using the platform APIs and features using platform-supported languages. Once deployed, the Marketplace applications will be seamlessly integrated with the platform as if it is the platform’s functionality. Hence, any third-party company can do the integration of its features/services by developing an application in the company’s marketplace to increase the application usage. It is a clear advantage to the end users who are engaged with both companies. However, as Marketplace applications have full privileges to the platform, poorly written Marketplace applications can compromise the security of the company’s platform along with the company’s users’ data.
Thus, it becomes extremely important for the companies to protect their platform itself as well as the data of users whenever users use the Marketplace apps developed by a third party. Any exploitable vulnerability in the Marketplace applications can result in unauthorized disclosure/loss of data or may even compromise the platform. Besides this, it is equally important to assess the integration, data storage, backdoor, handling of secrets, and communication with third party platforms/apps to protect the data and identities of users.
We :
Our Service Engagement Options :
HOW DO WE DO THIS :
Our methodology
(detailed here) is implemented using processes developed based on years of focused experience in assessments and research in Marketplace Applciation Penetration Testing.
WHY US :
Best-in-class Capability :
Customer Centric Commitment :
Actionable report (with zero false positives) is the key deliverable that includes :
test |
test |
test |
test |
Web 2.0 Security - Defending Ajax, RIA and SOA (Thomson)SOA, RIA, and Ajax are the backbone behind the now widerspread Web 2.0 applications such as MySpace, GoogleMaps, and Wikipedia. Although these robust tools make next generation web applications possible, they also add new security concerns to the field of web application security. Brief at Amazon |
|
Hacking Web Services (Thomson)Great exposure for security professionals, developers and administrators about Web services security issues, methodologies and defense strategies. Brief at Amazon |
|
Web Hacking (AWL)Exposes complete methodologies showing the actual techniques and attacks. Shows countermeasures, tools, and eye-opening case studies. Brief at Amazon |
|
Talk & Training
|
XSS and CSRF with HTML5 |
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY |
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits |
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) |
Web Attacks - Top threats - 2010 |
Secure SDLC for Software |
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web |
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Practice |
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services |
AppSec 2007 - .NET Web Services Hacking |
Advanced applications-architecture-threats |
HTTP protocol and Streams Security |
Assessment methodology and approach |
Applciation footprinting, discovery and enumeration |
SQL injection basics |
Application fuzzing |
Blind SQL Injection |
XPATH, LDAP and Path Traversal Injection |
Defending against Injections |
XSS - Attacks & Defense |
CSRF, ClickJacking & Open Redirect |
HTML5 hacking |
Source Code Analysis with SAST |
Web Services Hacking and Security |
Mobile Application Scan and Testing |
Mobile security chess board - attacks & defense |
Mobile code mining for discovery and exploits nullcongoa2013 |
iOS Application Security Testing |
Html5 on mobile |
Android secure coding |
Android Attacks |
Automation In Android & iOS Application Review |
90% of applications have one or more types of vulnerabilities that pose major threats from attackers who may exploit them to breach their security. Since automated scanning proves inadequate in uncovering all exploitable vulnerabilities, our Application Penetration Testing Service complements this with manual testing powered by expert human intelligence. Here is the methodology for thorough testing-
As the Marketplace applications have full privileges to the platform, poorly written Marketplace applications can compromise the security of the company’s platform along with the company’s users’ data. The security testing methodology of the Marketplace applications would be similar to the DAST. However, the integration with the third party application, data flow interactions between two applications, and secure utilization of the platform user’s sensitive information (session id, auth parameters) would require special attention during the penetration testing along with the usual web security controls. The typical architecture of the Marketplace application would be,
The methodology for the penetration testing would be,
90% of applications have one or more types of vulnerabilities that pose major threats from attackers who may exploit them to breach their security. The root cause of these vulnerabilities resides in the code layer. Source code written poorly from a security standpoint opens up exploitable vulnerabilities. Our Code Review Service uses semi-automated tools in combination with expert human intelligence. It is a White-Box assessment approach using SAST methodology. Here is the methodology for thorough testing-
Mobile applications are inherently complex in nature. They are composed of two broad components – one running on the phone/mobile devices which is responsible primarily for presentation and client side logic and the other running on the server side which is responsible for business logic. We carry out an extremely thorough and accurate assessment of both components and discover potential vulnerabilities that can be exploited by attackers. By analyzing the nature of the application and the platform, we create a threat model, attack vectors and various exploit scenarios. We have developed our own tools and scripts to perform reverse engineering, protocol analysis and fuzzing in order to discover vulnerabilities. It is imperative to analyze architecture, design and implementation of mobile application and various access controls and services before launching the application.Here is the methodology for thorough testing-
Static Tools
|
|||||
|
|||||
|
|||||
|
|||||
|
Mobile Tools |
||||
|
||||
|
||||
|
||||
|
||||
|
Scan Tools
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Shreeraj Shah, Founder of Blueinfy Solutions, is the security research head and strategic direction guide at the company. As the research head, he monitors the latest developments in the field and researches new probable vulnerabilities, exploit opportunities and risk exposures that may arise to customers. His research guides the development of new assessment tools and the up-gradation of assessment processes at the company. To remain updated with applications and their assessment to help him in research thinking, he also works hands-on with the assessment teams on some applications. Some of his research is also published through the Blueinfy blog. He has more than 20 years of experience in the software security domain. He has earlier worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in the security space. He is the author of many popular security books like “Web 2.0 Security”, “Hacking Web Services” and “Web Hacking: Attacks and Defense”. In addition, he has published several advisories, tools, and whitepapers, and has presented talks and/or trainings at numerous conferences including RSA, Blackhat, AusCERT, InfosecWorld (Misti), HackInTheBox, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly and HNS. His work has been quoted on BBC, Dark Reading, Bank Technology, MIT Technology Review and SecurityWeek as an expert in the area of HTML5, Web 2.0 and Browser security. He was one of the founders of eSphere Security, iAppSecure and Net-Square in the past and is associated as advisor to some companies too.
Hemil Shah, Co-CEO and Director at Blueinfy, is responsible for customer engagement, assessment implementation and customer communication. He focuses on development and continuous up-gradation of assessment processes and systems to ensure delivery of best-in-class assessment quality. He is very much a hands-on person who works very closely with teams to ensure that customer applications are assessed accurately with maximum coverage in width and depth. He also contributes regularly to Blueinfy’s blog. He has more than 15 years of experience in the software security industry. Prior to joining Blueinfy, Hemil worked for HBO and KPMG, where he was a key member of their internal software security team. Earlier to that, he also worked for IL&FS and Net-Square, being involved with software security assurance and assessment respectively. He has delivered talks and/or trainings on mobile and application security at various respected conferences, such as HiTB, OWASP Europe, InfoSec World, DeepSec, SyScan and BreakPoint to name a few. He is one of the founders of eSphere Security and mentor at ExtenedITArms.
Amish Shah, Co-CEO and Director at Blueinfy, is the technical head at the company. He is responsible for the development of assessment tools, for architecture and code security review and for technical resolution of all challenges that come up in the assessment process. He brings a unique combination of project management, software development and instrumentation skills in addition to software security assessment, with over 20 years of experience in network/web application vulnerability assessment, penetration testing, design, development and industrial automation. His experience includes development of automated vulnerability scanners, web application firewalls, Linux/win32 system programs, kernel level drivers, Internet Explorer plug-ins and web server plug-ins amongst many others. He has strong expertise in reverse engineering and source code audits. In addition, he has published an advisory on Microsoft research web site and has also contributed to "Secure Coding in C/C++" article on SANS. He works to innovate and build scalable smart technologies that enhance the accuracy and effectiveness of discovering vulnerabilities and weaknesses in applications by enabling wider and deeper application security analysis.
Research is an area of key importance at Blueinfy. It feeds our assessment and training capabilities on one hand and builds on inputs received from them on the other. Thus, research, assessment experience and training reinforce each other enabling us to remain at the cutting-edge in the software security domain.
Research yields the following :