ISO 27034 & sASM


works on the basis of ISO 27034 and the Microsoft Security Development Lifecycle (SDL) with massive tool-based methods. Thus (after patching) we tested security software and firmware actually safe – it is no longer vulnerable. Our pan-European USP is the holistic – ISO 27034-based – Security Testing Process with the following 5 methods:

  1. Security by Design: Support for the development of the security architecture
  2. Threat Modeling: Analysis of the security architecure on vulnerabilities
  3. Static Source Code Analysis: Formal verification of the source code
  4. Penetration Testing: Simulated attacks to check already known attacks including Explorative Testing and manual code auditing
  5. Dynamic Analysis – Fuzzing as a Service®: Blackbox-testing with known to be successful attack data to identify vulnerabilities in the runtime and implementation
sasm img

Furthermore, we use the following methods and tests:

  • Exploratory Testing and manual code auditing
  • Identify and analyze Covert Functions – undocumented, hidden features – among others Also on smartphones and mobile devices
  • and finally we introduce compliance audits Software through – against any kind Requirements – also against guidelines and Protection Profiles

For the detection of vulnerabilities our security experts also program the (vulnerabilities exploiting ends) exploits and fix (fixed) the identified vulnerabilities: bug fixes in the source code. This will make your software development team is able, very timely to release a patch.
The identification of previously non-identified vulnerabilities saves the producers and the users of the software used

  • Up to 99% of maintenance and troubleshooting costs (costs Patch) [NIST, Gartner]. Moreover, the two are our favored method
  • Threat Modeling and fuzzing of the certification institutions – prescribed (eg Federal Office for Information Security BSI for Common Criteria)

The soft check USP is for years the cost-effective and very successful implementation of Security Tests including the identification of previously non-identified vulnerabilities in any type software as in protocols, application software: WebApplications, ERP, ERM, CRM, SCM, e-business etc. and Embedded Systems and Industrial Control Systems (ICS), Manufacturing Execution Systems (MES), production control systems, SCADA (control and systems), PLC to the field level, in the smart grid (Smart Meter Gateway – SMGW, Energy management systems – EMS), Cyber ​​Physical Systems (CPS), M2M, industry 4.0. in apps and applets for smart and mobile devices, cloud computing and in hardware

With the supported tool by both ourselves as well as with manual auditing methods used, we are very successful. In the projects of the last 10 years, we have identified an average total of 143 previously non-recognized vulnerabilities: