The security of IT systems is becoming increasingly important as they are exposed to many potential threats through their architecture, implementation and networking. That's why we integrate security experts into our project teams (DevSec) right from the start.
Innovative IT solutions are characterized by methods and technologies that focus on flexibility, speed, openness and networking (web, cloud, continuous delivery, open source, open APIs, etc.). This provides the manufacturers and users of IT systems with many advantages. However, the security risk increases at the same time, because these systems move in a highly-dynamic innovative environment and can no longer be protected by regular, static checks. Sometimes, one single vulnerability is all it takes to penetrate a system and cause damage.
Although the quality assurance of IT systems can be largely automated, this has limitations when it comes to security. The manual effort here continues to be higher because a wide range of attack vectors must be checked, for example as part of penetration tests. However, if security aspects are given enough consideration from the very beginning when defining the architecture and software development, the risk can be made manageable. In light of this, we have expanded our portfolio and now also offer security competences, both to protect existing systems (audits, reviews, etc.) and for security-relevant aspects of new developments, in particular. We have a team of security engineers on-board, who ensure that a system is or will be “security-minded” on an infrastructure and application level.
Threats by digital attackers
There are currently three dominant motivations for attacks. Firstly, an attacker hacks into a digital system (e.g. through a security gap in a web application or through an inadequately secured service), assigns himself far-reaching rights and encodes the data managed by the system (ransomware). Then, a kind of “ransom” is demanded to decrypt this data again. The second type of attack is when the attacker obtains control over the hardware resources of a system, i.e. “kidnaps” the computer capacity. With these acquired resources, the attacker can affect the functionality of the system, launching widespread attacks on third-party systems, e.g. denial-of-service attacks (DoS), or sending spam emails, for example. Computing capacity is deemed to be an asset in the network industry and can be used universally for – genuine or illicit – purposes. In the third scenario, the attacker gains access to confidential data in a system (e.g. user or customer data) to sell this on the black market or use it for subsequent attacks. The consequences of such an occurrence can have a severe impact on the reputation of a company, meaning it may be viewed as untrustworthy in the eyes of its customers and other business partners for a long time after the attack. Some companies and public institutions have specific concerns beyond these risks, for example because they possess particular data, in which criminals or politically motivated hackers may be interested. State-organized hacking with the aim of influencing political decision-making process and digital espionage that targets intellectual property such as inventions are the most prominent examples here.
Basic security awareness
When we talk about the security of digital systems, we must first explain which general and specific security requirements need to be covered. Lots of general risks are monitored very accurately by the developers of large-scale, basic technical products and frameworks and are constantly taken into account in the update process, meaning a certain level of protection is guaranteed simply through careful IT operations. Systems that are not regularly maintained and not updated with the latest security patches are particularly susceptible to becoming gateways for attackers. This is seen time and again in global IT security catastrophes, such as the “WannaCry” or “Petya/NotPetya” ransomware.
Security by inovex
Digital security could be viewed as a “quality” issue, but it is so extensive, so dynamic in growth and so fast-paced a topic that we view it as a separate entity. Our security team means we are able to develop and harden basic digital components, such as web applications and IT infrastructures in a security-related manner and thereby fulfil compliance requirements – e.g. using public key infrastructures (PKIs). However, we can also evaluate the highly innovative segments within the digital world (IoT, AI/KI) and develop strategies for their protection. The objective is always to be prepared for attacks in the best possible way and to minimize the probability of a successful attack. We can also use penetration tests to cover security gaps in systems that have been developed by third parties and help to close these.
Our security experts know the advantages and disadvantages of pertinent security solutions and tools and know from experience how these can be productively implemented and applied. inovex’ USP is that we are able to fill our project teams with security experts from the very start of our development of digital solutions. These experts deal with the security aspects of the IT systems, while also being able to undertake “normal” development tasks. This means that security is an integral part of the digital solution from the start of the project and guarantees the added value of the system in the long term. At inovex, we call this “DevSec”.
Our services in detail
Architecture workshops with a focus on security
Our security engineers collaborate in architecture workshops, particularly when it comes to planning new architecture and security issues are raised. We support our clients in developing the right architecture for an infrastructure, which is “security-minded” and supports the automation of security-relevant processes. This is about defining the right measure for protecting the use cases, which should then be rolled out to the infrastructure. At the end, a security concept is compiled.
Architecture review with a focus on security
If an architecture has already been developed without the involvement of a security engineer, we review this existing architecture in terms of its security aspects. During this review, we identify and classify the architecture’s risks and propose measures to improve the security. This review can be used to prepare for a security audit, for example.
Emergency deployment in case of incidents
In the case of acute security incidents, we can support companies in managing the incident and introducing practical measures (immediate, short-term, medium-term and long-term). Detailed post mortem analyses of successful intrusions are not our specialist field but we are happy to provide advice in selecting a competent service provider and initiating the measures from the results of the analysis.
Automated scanning infrastructure
We establish an automated infrastructure, with which vulnerabilities are searched for and scanned automatically and at regular intervals – even during development or operation. The continual identification of vulnerabilities contributes to finding and closing vulnerabilities in good time before an attacker exploits an obvious vulnerability. For example, the OWASP top 10 risks can be automatically sought in a web application.
Nowadays, software has countless external dependencies on libraries, frameworks and modules. With this multitude of dependencies, it is very difficult to maintain an overview of unsecure dependencies or new vulnerabilities in these dependencies. Just one single vulnerability could lead to the entire system being at risk. A dependency check makes it possible to check whether countless dependencies of a software system have any known vulnerabilities.
Penetration tests are ideal for assessing the current security status of a system or web application. When performing a penetration test, the publically accessible services and backend are examined specifically from the point of view of an attacker. The objective is to determine which vulnerabilities the attacker can identify and how far into the system he can actually penetrate. In addition, developers and administrators are given the assurance that security-relevant parts have been implemented correctly and the system has no known vulnerabilities.
It is only in the rarest of cases that a product or service is delivered or configured “securely” ex works. This means the infrastructure, the service or the application is only as secure as its weakest link. When performing a hardening process, the configuration is examined for possible vulnerabilities or anomalies. The aim of the hardening process is to keep the attack surface as small as possible.
An excessive number of running or unnecessary services increases the attack surface of a system. Malware or a successful attack on a system can often open ports in order to communicate with the command center. A port scan (TCP/UDP) provides information about which services are being operated (open ports) and whether these should be outwardly accessible at all.
To penetrate a system (web application, server, service, network, ...), attackers often exploit known security holes or misconfigurations. A vulnerability scan using Nessus should prove that the system has no known vulnerabilities that an attacker could exploit or that could generally endanger the overall security of a system. A scan for vulnerabilities should not be equated with a penetration test.
Intrusion detection and intrusion prevention systems
We know from experience that attackers carry out automated scans dozens of times a day. For this reason, it is important to detect such an attack and take countermeasures as quickly as possible. IDS (intrusion detection systems) and IPS (intrusion prevention systems) are used to identify these scans. If these systems ascertain an attack pattern while observing the log files or packages, then the attacker is blocked and a message about the potential attack is sent to the person in charge.
A reconnaissance determines all the publically accessible information about an objective or company and analyses this for possible “information leaks”. This is because, before an attacker attacks a company, he tries to exploit any little pieces of information from public sources, e.g. addresses, emails, employees, financial circumstances, communication channels, technologies, DNS entries, business relationships, running systems or administrators. This information is often a gold mine because it can provide the attacker with information about internal procedures. We put ourselves in the role of a potential attacker and collect all the information about a company we can find on the internet.
Support by a security engineer
Security is not a state – it’s a process. And this is why we offer the support and collaboration of a security engineer in all security-relevant aspects from the design and development through to the final operating mode. The security engineer is your contact for all the team’s security-relevant questions and motivates the team to bear relevant issues in mind.
Would you like a consultation on this subject?
I look forward to hearing from you!
Head of Application Development
Our Technology Partners
inovex cooperates with a range of selected technology partners to offer our customers genuine added value: Amazon Web Services, Cloudera, Confluent, Elastic, e-shelter, Hortonworks, MapR, Microsoft, Quobyte and SoftBank Robotics.Read more
Certified Scrum Developer Training, Scrum Basics, Scrum Training for Product Managers, Practical Agile Development, Kanban BasicsRead more