The client decided to engage Lohika to perform the security assessment on their UCS code base. After the UCS code base analysis, the Lohika team prepared a security test plan and executed the exploit tests in a carefully planned test environment. We prepared a comprehensive report detailing the work performed, vulnerabilities discovered and recommendations.
Adopting a multipronged threat evaluation and vulnerability assessment approach, the Lohika security experts assessed potential vulnerabilities against three main categories: confidentiality, integrity, and availability. The exercise covered all major aspects of the products’ functional areas, such as real-time communication (involving SIP/H.323 and RTP/RTCP), local data storage, data flow through the network and administration.
To start with, the Lohika security team did a security architecture and threat modeling review. Later, the team employed source code analyzers such as Klocwork, Cppcheck and FlawFinder, and binary analyzers such as Black Duck and binwalk. The reports from these tools were analyzed, and a thorough manual security-focused code review was performed. Subsequently, the team did semi-manual security testing using industry-standard security tools such as Metasploit framework and PROTOS test suite. The team then prepared custom tests for exploiting suspicious areas and did manual penetration testing.The team also analyzed network activity using network scanners and packet sniffers.
Finally, the Lohika team completed the loop by analyzing the gaps in the client’s development practices and provided detailed guidelines and recommendations. Lohika’s recommendations were based on industry best practices in cybersecurity (e.g., MISRA C/C++, CERT) encompassing secure architecture and coding practices and implementation of Secure SDLC (S-SDLC).