Software Security

Security tests and evaluations

Software is used in the corporate environment in countless variations and configurations. However, its use requires a critical view of the risks: Software security checks and release mechanisms can be used to effectively counter the threat posed by attackers. IT managers therefore have to ask themselves how they can minimize risks for their company without losing sight of the cost-benefit ratio.

Overview - What we do

  • We support you in the security of open source and closed source software.
  • We support you in developing secure software: Through threat modelling, conceptual security checks or penetration tests.
  • We develop special analysis tools to detect weaknesses in software (source/compiled code) fully automatically and to identify possible solutions.
  • We develop special analysis tools to fully automatically check internal software programming guidelines in software solutions.
  • We inform manufacturers about potential security problems in their software.
  • We give developers concrete recommendations for secure software implementation.

Our expertise

Our experience from deep manual software assessment projects since 2004 and our strong understanding of IT security risks in software implementations enables us to efficiently conduct software security investigations and assessments.

Our proprietary tools enable us to evaluate hardened software (e.g. debugger detection, rooting detection, code obfuscation, software integrity checking and hooking detection). This is done through static and dynamic analysis, symbolic execution, fuzzing and similarity detection, or through the source code of the software.

Our services

For the following project types, various approaches can be used in consultation with you, including conceptual review, black box penetration testing, reverse engineering and source code audit.

Definition of specifications for the software security functions

If you have your own software implemented externally, you should define a detailed description of the security architecture for the implementation partner. This includes the specific mechanisms and configurations with which the software security concept and corresponding mechanisms are to be implemented. We help you with the appropriate specification of the necessary measures.

Review of software security concepts

The central component of an analysis of the security architecture is the product- or service-specific software security requirements. These form the expectation horizon for the investigations and the final evaluation. The focus is on an assessment of the potential extent of possible damage with regard to realistic scenarios. In addition, the attack surface of the software and its components is identified. Defects in the general conception, the security requirements and in the detailed specification of specific measures are pointed out in the context of the analysis of the security architecture, and recommendations are given in order to be able to meet these aspects adequately.

Software security assessment

This type of project focuses on your internal development and its management and looks at the implementation of the software and, if desired, the backend systems involved: The evaluation reports of this project type provide you with everything you need to make informed decisions: documented requirements and assumptions, detailed descriptions of tests and results for your developers, and meaningful summary assessments for your management. Project results are limited to your internal purposes.

Statements on specific software security claims

In highly competitive markets, high software security can be the advantage that makes you the market leader. We carry out evaluations that examine the specific security requirements of your solution as part of a targeted evaluation and help you to respond to the security needs and questions of your customers. The project report focuses on the desired security requirements and can be passed on to your customers/partners within the bounds of an NDA.

Public statements on software security

Test certificates and test reports show your customers and the public that you care about the security of your software. Published by an independent laboratory under the renowned Fraunhofer brand, they convey confidence and strengthen your sales potential. Apps can receive a Fraunhofer SIT certificate if they meet all the security requirements. The certificate itself can be used for marketing purposes as a differentiator from your competitors.

Trainings for software developers

We spend a lot of time attacking software vulnerabilities by, for example, exploiting self-implemented cryptographic techniques, finding implementation errors, and searching for sensitive, insecurely stored data. In software developer trainings, we share our knowledge about which bugs should not be made in software implementations, and to which building blocks known to be secure developers should fall back instead.

Job offers

Fraunhofer SIT seeks scientific staff, partly also for management positions

You will be responsible for planning, leading, executing and representing applied R&D projects, jointly with clients and partners from industry, government agencies and academia.