Vector is known for the full portfolio of testing tools. Vector Consulting also delivers external and independent Security Testing. We support companies worldwide , ranging from Code Quality Analysis, to Unit tests, Fuzzing and Penetration Testing. Our novel Grey-Box PenTest techniques yield better vulnerability with lower cost. All test is also offered as remote activity.
At Vector Consulting, we are using a specific methodology for risk-based testing. While brute-force testing might sound appealing to detect weakness at any place, it is expensive and not effective. No test is complete, and brute-force PenTest for sure will overlook specific feature correlations.
Vector therefore has developed our own Grey-box Security Testing suite where we conduct a mini-TARA and on this basis, identify the attack vectors and test focus based on assets and risks. It is grey-box because we follow the black-box security testing approach, while considering specific risks due to attacks and implementation. For instance, a specific architecture or protocol – when known – invites specific attacks, such as CAN with DOS attacks. On this well-founded methodological basis, the security items in scope of the security engineering process are identified and agreed.
"Vector Consulting Services is a good partner for Claas to implement cybersecurity. Claas had great benefits from the Vector team for TARA and Security Engineering."
- Alexander Grossmann, Manager, Claas
"Vector Consulting Services supported Panasonic with cybersecurity, demonstrating an outstanding level of expertise. The goal of a comprehensive TARA integrated into a security concept was achieved. The support was intense and very successful!"
- Michael Prantke, Project Manager, Panasonic
Frame fuzzing is used to check the general robustness of the device. To detect any ‘silent’ services that may be available in the system but only activate upon receiving a CAN frame with a specific ID, a CAN-Frame Fuzzer is used which is able to generate random CAN frames within a configurable address range.
Signal fuzzing is used on the database defined messages to target the application software of the DUT with forged signal data which may uncover unexpected behavior, like resets. Such behavior of the target may point to a software vulnerability which may be exploitable.
Interface Discovery: All available hardware interfaces of the system will be determined, and preliminary tests will be performed to detect target responsiveness towards communication attempts over the respective external interface.
Network Discovery: The network traffic will be analyzed to determine used protocols, communication patterns and determine the systems baseline behavior.
Network penetration test: With the information from network discovery, we are able to mount network-based attack against the system, using low-level access to the bus to stress the DUT with forged frames.
Software penetration test: Through reverse engineering vulnerabilities are searched and possible attack vectors determined.
Grey-Box penetration test: We conduct a mini-TARA and on this basis, identify the attack vectors and test focus based on assets and risks. It is grey-box because we follow the black-box security testing approach, while considering specific risks due to attacks and implementation. Grey-Box PenTest enhances test-effectiveness and cost-efficiency thanks to the knowledge of architecture, good traceability, attack-free accuracy and risk-analysis.
Code Quality Analysis
Architecture analysis: Verification of the implemented architecture against the planned architecture
Design and code analysis: Identification of typical design weakness, verification of the source codes with regards to compliance with programming specifications or critical code areas.
Preventive defect analysis: Tool-supported analysis independent of suspicion on faulty or critical programming construction and maintenance risks.
License analysis: Early identification of open source components to check the legal requirements.
Security Verification and Testing
Multi-level Security Verification, Validation and Hardening
“Vector Consulting supported Panasonic in cybersecurity, demonstrating outstanding expertise. The goal of a comprehensive TARA, integrated into a security concept, was achieved!” - Michael Prantke, Panasonic
In this webinar of May 2020, based on our experience inside Vector and client projects, we will describe new standards and experiences. The webinar is structured into four parts: risk-oriented security, systematic security engineering, case studies and examples, conclusions and outlook.
COMPASS is a solution of Vector for planning, executing and evaluating assessments, audits and analyses. It satisfies all requirements relevant to an efficient audit and analysis tool (support based on different maturity models, assessment methods and other checks). COMPASS is not restricted to one specific maturity model, it rather supports different models and can be extended to customized models and checks if desired. This video gives a short introduction to COMPASS SecurityCheck.