CSPN: software security assessment

This security certification has been created by the French Network and Information Security Agency (ANSSI). This approach implies limited time and workload. It also focuses on the analysis of vulnerabilities. The label takes the shape of a certificate delivered by the ANSSI, and is based on the evaluation results.

The ANSSI audits the skills of the candidate laboratory. Then a license is granted for the technical fields in which the laboratory has been recognised as skilled. Our authorization covers the following fields:

  • Intrusion detection
  • Anti-virus, protection against malicious applications
  • Firewall
  • Security administration and supervision
  • Identification, authentication and access control
  • Secure communication
  • Secure messaging
  • Secure storage

Reverse Engineering

Reverse engineering is the ability to study a software without having its source code. In many situations, this is a necessity:

  • Analysing malware
  • Working on interoperability
  • Checking for bugs/security mechanisms/cryptography in 3rd party software

Our team is able to work on lots of different systems (Windows, Linux, or embedded OS running on not so well known hardware), different CPUs (x86, ARM, MIPS, PPC, ...). We use our own tools, especially metasm for which we develop specific internal scripts.

Red Team

Most of the time, penetration testing is very limited: only check one server, do not look beside it, ... far from real-life attackers.

Thanks to our research & development, we have very efficient tools (rootkits, backdoors, PDF crafters, ...) to intrude a target network, and stay hidden for a very long time. We are asked to evaluate the difficulty to steal sensitive information, or to take over an internal network, no matter what we use. Red team operations are acting like real attackers would do.

The goals of such a red team operation are:

  • Evaluate the attack surface from the outside
  • Evaluate the price needed to go in
  • Evaluate which sensitive information can be stolen
  • Evaluate the detection and response capabilities

Research & Development

We enjoy being challenged on various topics related to security:

  • DRM (Digital Right Management): can we retrieve the unprotected content or the keys used in the application?
  • Mobile phone security: what can attackers do with a stolen or found mobile phone?
  • Pentesting tool development: need for a specific tool also bypassing some anti-virus?
  • Vulnerability research: would like to know if there are coding or a design flaws in a software?
  • Exploit coding or fixing: need an exploit not publicly available or to improve its reliability?
  • Packer design: want to protect a software running with strong constraints?
  • ...

All these jobs share the same ground: explore new solutions. Mixing a good technical and scientific knowledge of computer systems with lot of creativity, we provide our customer with innovative and working solutions.