professional services overview · pdf filecsslp, ceh, gcih, gsec, gnsa, gcih, gcfw, gwapt,...
TRANSCRIPT
IOT APPLICATION MOBILE CLOUD NETWORK
Professional Services OverviewInternet of Things (IoT) Security Assessment and Advisory Services
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
We Are the Security Experts Solving Your Cybersecurity Problems
2
HIS
TORY
HIS
TORY
ATTR
IBU
TES
PRO
POSI
TIO
N
‣ Superior technical prowess
‣ Comprehensive reporting
‣ Trusted business acumen
‣ Time-tested methodologies
‣ Praetorian provides end-to-end Internet of Things (IoT) penetration testing and security assessment services that help organizations successfully balance risk with time-to-market pressures.
ATTR
IBU
TES
PRO
POSI
TIO
N
MA JOR IOT VERTICALS
IoT Platforms
Connected Home
Industrial Internet
Connected Vehicles
Healthcare
Critical Infrastructure
FOCUSED ON FORTUNE 1,000 & VENTURE-BACKED
STARTUPS
‣ Founded in 2010
‣ Headquartered in Austin, TX
‣ Self-funded
‣ Profitable since inception
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
An Established and Growing Services Firm
3
When you're constantly advancing your industry and helping to secure today's leading organizations, people notice.
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Our Engineers Are “The Security Experts”
4
‣ Top 5% of the industry
‣ Certified expertise includes: OSCP, OSCE, CISSP, CISA, CSSLP, CEH, GCIH, GSEC, GNSA, GCIH, GCFW, GWAPT, GAWN, GCFE
‣ Respected authors, researchers, federal security policy contributors, patent holders and open-source developers
‣ Speakers at major security conferences and professors at major universities
‣ Educational backgrounds in computer science, engineering, and information systems
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
We Act as the Security Experts for Today’s Leading Organizations
5
Praetorian is uniquely positioned to spot gaps and anticipate shifts in Internet of Things security trends across our diverse customers and industries served
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Clients Focused on the Internet of Things (IoT) Include
6
Praetorian is uniquely positioned to spot gaps and anticipate shifts in Internet of Things security trends across our diverse customers and industries served
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Partnerships Across the IoT Landscape — From Chip to Cloud
7
Security Program for Azure IoTPraetorian was the first global auditing partner under Microsoft's Security Program for Azure IoT.
Microsoft recognized Praetorian as a “best-in-class" IoT security auditor
https://blogs.microsoft.com/iot/2016/10/26/introducing-the-security-program-for-azure-iot/
Chip
Cloud
Rem
aini
ng p
rodu
ct a
gnos
tic w
hile
dev
elop
ing
re
lati
onsh
ips
wit
h Io
T ve
ndor
Par
tner
s
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Built on Expertise, Engineered to Scale, Unified through Software
8
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Internet of Things (IoT) Security Assessments, from Chip to Cloud
9
INTERNET OF THINGS END-TO-END SECURITY
Gain confidence that your Internet of Things (IoT) devices and data are securePraetorian provides end-to-end Internet of Things (IoT) penetration testing and security assessment services that help organizations successfully balance risk with time-
to-market pressures. Our solutions provide coverage across technological domains, including embedded devices, firmware, wireless communication protocols, web and mobile applications, cloud services and APIs, and back-end network infrastructure.
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
APPLICATIONS We actively analyze web and mobile applications for any weaknesses, technical flaws, or vulnerabilities.
CLOUD SERVICES It is critical that cloud services and APIs be tested to determine whether they can be abused by attackers.
INFRASTRUCTURE Is backend network infrastructure that is supporting your Internet of Things product ecosystem secure?
EMBEDDED DEVICES Identify physical and logical security threats to the
embedded systems in IoT product ecosystem.
DEVICE FIRMWARE We help ensure hardware and chip makers have sufficiently addressed IoT firmware insecurities.
WIRELESS PROTOCOLS Validate security and configuration of wireless
communication such as ZigBee, 6LoWPAN, and BLE.
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Professional Security Evaluations Overview
10
Based on IEEE Computer
Society estimates
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
OWASP Application Security Verification Standard (ASVS)
11
Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application.
Cursory
LEVEL 0
Opportunistic
LEVEL 1
Standard
LEVEL 2
Advanced
LEVEL 3
Level 0 (or Cursory) is an optional certification, indicating that the application has passed some type of verification.
Level 1 (or Opportunistic) certified applications adequately defend against security vulnerabilities that are easy to discover.
Level 2 (or Standard) verified applications adequately defend against prevalent security vulnerabilities whose existence poses moderate-to-serious risk.
Level 3 (or Advanced) certified applications adequately defend against advanced security vulnerabilities, and demonstrate principles of good security design.
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
OWASP Application Security Verification Standard (ASVS)
12
‣ Authentication
‣ Session Management
‣ Access Control
‣ Malicious Input Handling
‣ Cryptography at Rest
‣ Error Handling and Logging
‣ Data Protection
‣ Communications Security
‣ HTTP Security
‣ Malicious Controls
‣ Business Logic
‣ File and Resource
‣ Mobile
‣ Embedded Devices
OWASP ASVS defines the following security requirements areas:
Praetorian follows the OWASP ASVS standard, which normalizes the range in coverage and level of rigor applied to each application.
NEW
Run-time Analysis
Binary Analysis
Static Analysis
Design Analysis
Hardware Analysis
PROFESSIONAL SECURITY EVALUATIONS
GET STARTED
IOT WEB MOBILE
CLOUD NETWORK ICS
Penetration Testing
Reverse Engineering
Code Reviews
Threat Modeling
Device Testing
(800) 675-5152 [email protected] www.praetorian.com
Guided by OWASP Application
Security Verification
Standard (ASVS)
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
OWASP ASVS for Internet of Things (IoT) Testing Coverage Matrix
13
OWASP ASVS defines specific test cases that are in scope for each ASVS Level
Coverage Key
Excellent Good Fair
Inadequate
Security Control Group Level 1: Opportunistic Level 2: Standard Level 3: Advanced
Architecture, Design, Threat Modeling 1 / 11 8 / 11 11 / 11
Authentication Controls 17 / 26 24 / 26 26 / 26
Session Management Controls 11 / 13 13 / 13 13 / 13
Access Control 7 / 12 11 / 12 12 / 12
Malicious Input Handling 10 / 21 20 / 21 21 / 21
Cryptography at Rest Controls 2 / 10 7 / 10 10 / 10
Error Handling & Logging Controls 3 / 13 9 / 13 13 / 13
Data Protection Controls 4 / 11 8 / 11 11 / 11
Communications Security Controls 7 / 13 9 / 13 13 / 13
HTTP Security Controls 6 / 8 8 / 8 8 / 8
Malicious Controls 0 / 2 0 / 2 2 / 2
Business Logic Controls 0 / 2 2 / 2 2 / 2
Files and Resources Controls 7 / 9 9 / 9 9 / 9
Mobile Controls 7 / 11 10 / 11 11 / 11
Web Services Controls 7 / 10 10 / 10 10 / 10
Configuration Controls 1 / 10 5 / 10 10 / 10
Embedded Device Controls 10 / 29 20 / 29 29 / 29NEW
To help product teams address emerging security challenges, Praetorian has created research-driven evaluation methodologies that incorporate guidance from the OWASP Application Security Verification Standard (ASVS), which normalizes the range in coverage and level of rigor applied to each application.
With its 3 levels of testing rigor, 17 security control categories, and 211 defined test cases, this approach allows our team to meet your unique testing and budget goals by offering tiered pricing based on the comprehensiveness of the security review.
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
Built on Expertise, Engineered to Scale, Unified through Software
14
Bug TrackingEXPO
RT
THE SECURITY EXPERTS WWW.PRAETORIAN.COM
15
Find out why 97% of our clients are highly likely to recommend Praetorian. Based on all-time Net Promoter Score (NPS) of 86
Gain confidence that your Internet of Things devices and data are secure.We help product teams focus on innovation by helping solve their complex security challenges.
Learn More About Our Approach
and expertise https://www.praetorian.com/expertise/internet-of-things
EXCELLENCE IN SERVICE