http://website.isecpartners.com/secure_development_life_cycle_sdlc_services en http://website.isecpartners.com/automated_application_source_code_testing <ul> <li>Use open source static analysis tools to detect use of prohibited libraries or unsafe functions <li>Use open source static analysis tools to detect the lack of secure libraries like input filtering <li>Use open source static analysis tools to detect C/C++ memory errors <li>Use commercial web application scanning tools and filter results to provide relevance <li>Use commercial source code scanning tools and filter results to provide relevance <li>Use commercial binary analysis tools and filter results to provide relevance </ul> <br class="clear" /> Tue, 01 May 2007 04:19:14 -0700 anastasia 215 at http://website.isecpartners.com http://website.isecpartners.com/sdlc_process_gap_analysis <ul> <li>Analysis of current Threat Modeling Processes <li>Analysis of current Secure Development Guidelines <li>Analysis of current negative QA testing in development and QA organizations <li>Analysis of current Developer Training Initiatives <li>Recommendations for Automated Application &amp; Source Code Testing </ul> <br class="clear" /> Tue, 01 May 2007 04:18:40 -0700 anastasia 214 at http://website.isecpartners.com http://website.isecpartners.com/secure_framework_development <p>The "iSEC SecureWeb Framework"</p> <p>Pre-created J2EE classes that provide the basis for providing web security services: <ul> <li>Input validation classes with common pre-defined types (safe HTML, SSN, credit cards, etc.) <li>XSRF protection framework, including a token generator and a simple interface to query the “action state” of the client <li>Output validation framework, perhaps implemented as a servlet or tied to a compositing engine <li>Secure data-access-layer class, which can wrap JDBC and guarantee prevention of SQL Injection <li>Security anomaly framework. A simple framework that can be tuned by the end customer, that collects data and makes it easy to create business rules that detect fraud, such as a single user logging in from multiple geographical locations within a certain period of time. </ul> <br class="clear" /> Tue, 01 May 2007 04:18:10 -0700 anastasia 213 at http://website.isecpartners.com http://website.isecpartners.com/developer_training <ul> <li>Improving Software Security through Life Cycle Changes <li>Web Application Security QA Testing <li>Application Security Best Practices <li>Penetration Testing &amp; Binary Analysis <li>Windows Vista Security for Developers </ul> <br class="clear" /> Tue, 01 May 2007 04:17:38 -0700 anastasia 212 at http://website.isecpartners.com http://website.isecpartners.com/custom_fuzzer_development <p>Use valid test data to inject random data into the following input fields:</p> <ul> <li>Event driven inputs. Usually from a graphical user interface, or possibly from a mechanism in an embedded system. <li>Character driven inputs. Files or data streams such as sockets. <li>Database inputs. Tabular data, such as relational databases. <li>Inherited program state such as environment variables </ul> <br class="clear" /> Tue, 01 May 2007 04:17:11 -0700 anastasia 211 at http://website.isecpartners.com http://website.isecpartners.com/development_security_team_staff_augmentation <ul> <li>Standards/procedures/and examples that drive security into engineering and QA <li>Specific guidelines for avoiding problems found during penetration testing and previous assessments <li>Standards for measuring applications against the new Secure Development Guidelines </ul> <br class="clear" /> Tue, 01 May 2007 04:16:43 -0700 anastasia 210 at http://website.isecpartners.com http://website.isecpartners.com/secure_development_guideline_creation <ul> <li>Standards/procedures/and examples that drive security into engineering and QA <li>Specific guidelines for avoiding problems found during penetration testing and previous assessments <li>Standards for measuring applications against the new Secure Development Guidelines </ul> <br class="clear" /> Tue, 01 May 2007 04:16:10 -0700 anastasia 209 at http://website.isecpartners.com