Security Development Lifecycle or SDLC is a software development module that supports developers to build more secure software in compliance with all security requirements.

Even as early as in the project conception and requirements gathering, it is important to correlate all data to the security risks that they may present or favor. With a mapping of the possible threats brought by the system’s requirements, information security solutions are added to the development process.

A project built with SDLC presents greater resilience against vulnerabilities and threats, reducing the costs, chances of fraud and future maintenances to correct problems originated from security flaws.

Activities of the SDLC process involve the following tasks:

• Gathering of security requirements;
• Tracking of the project management;
• Software Architecture Security Analysis;
• Threat Modeling;
• Generation of reports and best practices documents.

The final result aims to reduce the attack surface offered by the system under scope and strengthen its confidentiality, integrity and availability.

Our security-oriented smart contract review follows an organized methodology with the intent to identify the largest number of vulnerabilities in the contracts under scope from the perspective of a motivated, technically capable and persistent adversary.

Special attention is directed towards critical areas of the smart contract such as burning of tokens and functioning of the multi-signature. Our process also looks into other common implementation issues that lead to problems like reentrancy, mathematical overflows and underflows, gas-related denial of service, etc.

Blaze's smart contract review methodology involves automated and manual audit techniques.

The applications are subjected to a round of dynamic analysis using tools like linters, program profilers and source code security scanners. The contracts have their source code manually inspected for security flaws. This type of analysis has the ability to detect issues that are missed by automated scanners and static analyzers, as it can discover edge-cases and business logic-related problems.

Threat Intelligence provides tangible benefits to organizations, allowing them to develop a proactive security posture regarding information security and risk management, replacing an onerous reactive one. The greatest benefit it brings is to provides the customer the chance to anticipate threats before they become an imminent risk to the business.

In the threat intelligence service offered by Blaze Information Security, the gathering of information is achieved predominantly through automated fashion, using home made tools and scripts, with outputs validated by our intelligence analysts. The collected data is posteriorly correlated and interpreted in order to imbue it with business and technical context so it can become useful to the decision making process of our customer.

The result of this service provides our customers the opportunity to optimize the protection of their assets, direct efforts properly in order to mitigate identified problems and anticipate threats. Thus enhancing the resilience of the Organization against cyber crimes, diminishing the risk and losses associated with fraud and malicious activities to the business.

Infrastructure penetration test consists in the identification and exploitation of vulnerabilities and threats to your business from the perspective of either an external adversary or an insider in the organization.

Security assessments are carried out through a controlled attack simulation tailored to our clients business, determining with accuracy the real risk exposure of your organization.

The main objective of this service is to be ahead of the game of a malicious insider, such as a disgruntled employee, that may have basic access to the network. This service can also be used to evaluate and validate the organization’s defenses against a scenario of a motivated and persistent external attacker with no privileged access or knowledge about the network infrastructure.

Such assessment provides a valuable insight into the business’s security policies, patch management and can be used for audit processes that require security testing such as PCI-DSS and ISO/IEC 27001.

Many corporate network breaches start with insecure web applications and APIs due to a number of factors, among them large quantity of different technologies and short development deadlines leading to the introduction of security defects.

The aim of web application and API security testing is to identify vulnerabilities that can cause direct interference to the continuity and resilience of the business, as in many cases web applications and APIs often handle sensitive information and other resources considered vital to an organization.

The assessments are performed by our expert consultants in a manual fashion, aided by the development of tools and scripts specific to each application under test. We go above and beyond common issues found in OWASP Top 10 and also cover many modern vulnerability classes affecting web-based technologies.

With the result of the assessment our clients can protect their assets and direct the efforts to mitigate the identified issues, enhancing the robustness and bolstering the resilience of the application or API against cyber attacks.

The meteoric rise of business-critical mobile apps brings new risks for organizations that rely on mobile devices and applications on a daily basis. Another risk factor for mobile application is the current security maturity level for such platforms -- many risks are still not well understood and the lack of well-established security practices and frameworks, as well as the overall lack of maturity of application developers make the mobile world more prone to vulnerabilities than others.

Penetration test of mobile apps involve simulating the actions of a skilled attacker to identify vulnerabilities both in the application's supporting infrastructure (backend APIs and databases), in the communication between the app and the server, and an analysis of the application per se, along with its interaction with the device.

Blaze’s security consultants are well versed with penetration testing of Android and iOS applications.

With the results of the analysis the organization can improve the security of its business-critical mobile applications and reduce the risk to minimum levels.

The constant discovery of new vulnerabilities brings new challenges to the security management of an organization. To keep your IT staff up-to-date with the latest cybersecurity trends and threats usually requires a massive financial investment and time.

With the intent to help our clients in this matter, our vulnerability management service periodically monitors the security prosture of your IT infrastructure, web and mobile applications to identify the level of risk they may bring to your organization.

The analysis takes place in a daily basis, where our consultants perform security tests against the systems under scope. When a vulnerability is identified, the client's IT team is immediately notified through the dashboard of our in-house developed VMS (Vulnerability Management System).

Why to hire our vulnerability management services?

• The consultants of Blaze Information Security are constantly updated about new vulnerabilities and cybersecurity trends
• Our clients can have a 360 degrees vision of the risk their IT infrastructure may be exposed to
• We assist the client during the entire process of fixing the vulnerabilities
• Reduce the inherent risk posed by exploitable vulnerabilities

Our vulnerability management service was designed to work in a modular fashion, giving the opportunity to clients to opt for a continuous security management specific to the relevant technologies of their business.

The existence of software vulnerabilities often originate in the source code. Our experienced consultants are able to perform code review of software written in popular languages such as Java, Ruby, Python, C/C++, PHP, ASP.NET, C#.NET as well as less popular ones such as Solidity and others.

Our analysis consists in code scanning using security-focused static analysis tools and use our man-powered expertise to perform manual code review to identify vulnerabilities and design errors that can pose a serious risk to the application.

The result of the assessment is a document explaining the issues discovered along with information advising your development team how to fixing the vulnerabilities identified and, perhaps more importantly, how to prevent similar errors in the future.

The diversification of applications on the Internet has been accompained with the rise in the number of security incidents. The severity of an attack may vary, and in some cases it might cause serious operational impact in the business, ultimately causing major financial losses.

Incident response is the rapid reaction team used to manage the consequences of a breach. The main objective of an incident response is to minimize the impact of a security compromise and allow a rapid recovery of the systems, guaranteeing business continuity, as well as investigate the root cause of the breach and improve the security posture of the systems in order to reduce the risk of successful incidents in the future.

Blaze Information Security offers security assessments of products developed in-house or that are commercial off-the-shelf.

The assessment consists in the evaluation of all security aspects that will be impacted by a new application or device that will be inserted in the corporate network. A detailed analysis of the attack surface of the product under test is performed, taking into consideration its security expectations and objectives and threat model. In general, product security aims to verify the resilience of all components of the product under test -- typically, this service is composed of infrastructure testing, code review, architecture analysis and application security, as well as the creation of bespoke scripts and custom tools for analysis, such as fuzzers.

Our offering benefits vendors that want their product to be evaluated from a security point of view before it is shipped to the market, and for organizations that want to make sure that bringing in another appliance or software to their network will not cause an adverse impact to its security posture.