Codified Security Solution Overview
Codified Security is available Online (cloud hosted), or On Premise, and comes with an API that has all of the product’s functionalities available for integration.
Client side security testing
Codified Security’s custom static analysis engine decompiles each mobile app from its binary file to test the client side code.
Each line of code is tested against our rulesets to find security vulnerabilities and flaws in code at rest.
Issue verification
The traditional problem of static analysis, a high false positive rate, creates issues that either do not exist or pose no threat to a mobile app’s security.
We use issue verification as part of the calibration process to examine the initial test results for false positives. The false positives are marked for future tests and removed from final results.
The next step is to hide third party modules and libraries to show the issues that you need to fix in your proprietary code.
After issue verification a report shows details for each of the vulnerabilities and, on Android and Xamarin apps, shows the the file and line of code that contains the issue.
When you upload the next build the platform will help you to focus on new issues or regressions.
Our simple web dashboard
The web platform makes it simple to upload apps, run client side security testing, and view a comprehensive report that shows the vulnerabilities your mobile app contains.
The web platform has app upload options that include app store URLs, APKs & IPAs, and integration with beta-distribution platforms for build testing. Codified Security has support for HockeyApp and Google Play
Our reports are optimised for ease of reading and exporting with each report showing you what each vulnerability is, why it is a risk, how to fix it, and, on Android & Xamarin.Android, the exact lines of code that need to be secured.
The web platform has options to manage email notifications, integrations with Slack & Hipchat, access for team members and manage third party libraries.
What we test for
Codified Security uses a range of techniques to protect against the abuse of a mobile app’s business logic and the vulnerabilities that open the door to a data breach.
Our static analysis engine tests hundreds of unique rules against the mobile client side.
These static tests pair with our human led dynamic analysis to look for a core set of problems across the iOS & Android platforms, this includes:
Reports
Codified Security’s reports detail whether the vulnerabilities are Critical, Severe, or a Warning, giving details of what each vulnerability is, why you need to fix it, how to fix it, any compliance rules the app is in breach of, and the exact file and line of code where the problem is located. The reports are available online or exportable in a PDF or Word format.
Integration options
Codified Security plugs into existing development environments and practices that you use to support developers throughout the Software Development Lifecycle.
API
You get to decide where and how to run mobile app security tests with our API. The API has access to all of Codified Security’s features and synchronises with the web platform to give a consistent view of mobile app security for all team members.
CLI
Our CLI binary, self contained and built in Go, makes it simple for developers to add Codified Security to their Continuous Integration setup.
The CLI binary works with any build server configuration including TeamCity, Microsoft Visual Studio Team Services, & Bitrise.
Overwatch
Overwatch is Codified Security’s research unit that combines machine learning with human expertise to mitigate the risk of new mobile app security issues.
A web crawler checks for reports of new mobile vulnerabilities, using a feed from the MITRE Common Vulnerabilities and Exposure list (CVE) and Android Security updates. We use this data to build out new rules that are added to our custom rules engine.
This keeps mobile apps secure against new security issues and works with our security notifications to let you know when your mobile apps are vulnerable.
For companies with distinct compliance concerns our researchers will change rules to reflect compliance needs, whether this is changing the risk level of certain rules or ignoring individual rules according to the particular requirements of a mobile app.
We know each company has different needs and will work with you to accommodate your requirements.
Compliance
Codified Security’s rules engine recognises the Open Web Application Security Project Mobile Top 10 (OWASP), Payment Card Industry Data Security Standard 3.2 (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA).
Codified Security gives you a transparent way to understand the compliance of your mobile apps and data privacy risks.
Codified Security helps to fulfil testing obligations and secure mobile apps against the security frameworks of OWASP, PCI-DSS, and HIPAA, however, we do not issue certificates of compliance.
The rules that are applied to each mobile app are customisable according to the risk policies in use at your company. This makes it possible to change the risk level or ignore individual rules according to the particular requirements of a mobile app.
PCI-DSS
For a mobile app to be compliant with PCI-DSS there are a number of requirements that Codified Security covers:
- Identifying and mitigating vulnerabilities in custom and third-party code (Requirements 6.1, 6.2, 6.3, 6.4, 6.6)
- Performing code reviews by an independent organisation knowledgeable in secure coding practices (Requirement 6.3.2)
- Training developers in secure coding techniques (Requirement 6.5)
- Regularly testing systems and processes (Requirement 11.3)
- Maintain an information security policy (Requirement 12)
HIPAA
HIPAA requires health care institutions and holders of health data to ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) and protect against any reasonably anticipated threats or hazards to the security of such information. In particular, we help address sections §164.308 to §164.31 of the Security Rule including:
- Risk analysis and management: Assess risks and vulnerabilities in applications that handle PHI
- Authentication: Verify that session identifiers are not vulnerable to authentication attacks
- Data security: Ensure that applications have implemented encryption properly for data-in-transit and data-at-rest
- Malicious code: Protect applications from malicious code and backdoors
The OWASP Mobile Top 10 polls the security and app development industry for mobile app vulnerability statistics to profile the riskiest vulnerabilities in the mobile threat landscape. The OWASP Mobile Top 10 is the foundation for secure mobile app development, Codified Security covers:
- M1 Weak Server Side Controls
- M2 Insecure Data Storage
- M3 Insufficient Transport Layer Protection
- M4 Unintended Data Leakage
- M5 Poor Authorization and Authentication
- M6 Broken Cryptography
- M7 Client Side Injection
- M8 Security Decisions Via Untrusted Inputs
- M9 Improper Session Handling
- M10 Lack of Binary Protections
Your privacy and our security
Codified Security uses a number of features to ensure security for our platform and our customers.
We do not require source code. We use the IPA, APK, or compiled DLL (Xamarin) binaries, to test the code that will be published to public app stores.
No app binaries are stored on our server, each app package is discarded and erased alongside any artefact that the process generates.
The data on each mobile app’s vulnerabilities is hosted on a secure Google Cloud Platform server hosted in the EU with the option to provision customers on to specific data regions. We use automated security and monitoring to follow Google’s standards for securing endpoints as well as going through ad hoc security audits.
Codified Security Solution Overview
Product Overview Video
Kerry Lothrop, a Microsoft Cybersecurity MVP, talking about Codified Security’s product during a talk on Xamarin app security at the 2016 Xamarin Evolve conference (starts from 40.40).