SektionEins is an international IT security company based in Bonn, Germany. We are specialised in identifying weaknesses and security vulnerabilities in web and mobile applications.
We offer a full range of services. This includes vendor-independent consulting, security audits and training courses.
SektionEins is also committed to the field of security research and has published numerous security advisories. In addition, our consultants are speakers at national and international conferences.
Concept Phase: At the beginning of a project it is most cost-effective to work on security topics. We develop well thought out security concepts and support secure software design. Common questions are raised and thus integrated into the software architecture, for example: Where and how is data encrypted? Who is allowed to access the data?
During development: Regular reviews of newly developed software ensure that the software contains as few security issues as possible.
Production phase: We analyse company processes in respect to security, e.g. Two-eye principle, reliability, physical and logical access protection, password policy.
Introduction to SDL: The Secure Development Lifecycle can provide more software security within in all software projects. Our consultants guide the introduction and solve problems with the transition to secure development.
Source Code Analysis: The source code of the application is analyzsed in detail to reveal as many security related issues as possible.
Penetration Testing: We act as an attacker from the outside. The application is tested manually and with automated attack tools in order to detect most obvious security issues of the application.
Infrastructure Analysis: Complex applications depend on their infrastructure. DNS, virtualization, configuration, VPN, anagement interfaces, databases, test systems. SektionEins examines the individual components and works with the customer to develop suggestions for hardening and securing all parts of the infrastructure.
Result: At the end there is always a report. Our reports are either brief to spend as much time as possible on the actual analysis. Or we will produce a detailed report with a comprehensive description of each detected vulnerabilitiy, risk assessment and recommendations on how to fix the issue.
For Developers: SektionEins offers comprehensive training sessions suitable for both beginners in web-security and skilled professionals. Designed with practical examples and exercises, participants can directly apply what they have learned and easily adapt ideas to their own projects.
For System Administrators and DevOps: A basic knowledge of web security issues has become an essential part of running applications. We provide ideas and and procedures to securely configure and run applications.
Workshops take one or more days - usually two or three. They consist of introductory lectures and extensive practical parts. The contents are adapted to individual wishes.
Here is an excerpt from the topics of trainings that we have already held for customers.
- Brief: HTTP basics and attack surface
- Web Application Attacks (Information Leakage, XSS, CSRF, SQL Injection, Code Injection, Code Inclusion, HTTP Header Injection, Unserialize, Logical Errors, Clickjacking)
- Session Management
- Access Controls
- Cryptographic functions and random numbers
- Error handling and logging
- Hardening of configuration and server environment
- Security throughout the development process: Thread Modeling and SDL
- Security testing basics and tools for secure programming
All lectures and trainings can also be held in English and German.
Attacks on GnuPG's Web Key Directory (WKD)
Multiple vulnerabilities regarding GnuPG/WKD and how to attack them
Tool: OpenSSHd Security Configuration Checker
Tool: Check your SSHd configuration for security flaws
PEGASUS iOS Kernel Vulnerability Explained - Part 2
After our analysis of CVE-2016-4656 from last week new details have surfaced.
PEGASUS iOS Kernel Vulnerability Explained
SektionEins has analysed Apple's iOS security patches to find out more about the kernel vulnerability CVE-2016-4656 abused by the PEGASUS iOS malware.