Excellent security testing process

Prevention is better than cure.

softScheck GmbH from St. Augustin, Germany, received the “Product of the Year” award from SmarterWorld in the “Smart Automation/Security” category in 2019 for its extensive security testing process for hardening software during the development phase.

“The prize comes at the right time”, said Managing Director Professor Dr. Hartmut Pohl on the occasion of the awarding of the “Product of the Year” prize by SmarterWorld in the offices of softScheck GmbH in St. Augustin near Bonn. With the increasing degree of networking of the “Internet of Everything”, the importance of the security of hardware and software increases “ab ovo”. “If attention is paid to security already in the development process, possible later damages by hackers and malware are minimized”, Professor Pohl knows.

In terms of security testing already in the software development phase, softScheck GmbH from St. Augustin has developed into a leading service provider whose expertise has already contributed to the first successful certification of a Smart Meter Gateway in Germany. PPC AG’s Smart Meter Gateway and OpenLimit SignCubes received certification from the German Federal Office for Information Security (BSI) in December 2018.

Professor Pohl accepted the award on behalf of the entire team, which, according to the managing director, is currently “working on the further development of the existing security testing process” and adding further methods.

The growth of the Internet of Things is noticeable, says Pohl. On the one hand, the companies are now increasingly having entire infrastructures and networks tested and, on the other hand, softScheck is increasingly being commissioned to test networked products, from smart home components and smart kitchen machines to smart medical devices and mobile apps.

According to Professor Pohl, the special thing about softScheck testing is that the process is “fairly complete”. “We start with a security requirement analysis, i.e. we check whether the customer has formulated the right requirements at all and developed the appropriate security design on this basis. In the second step, we check the security design, the architecture. The third step is the verification of the derived source code, the static source code analysis. The fourth step is penetration testing, the fifth step is fuzzing. We bombard an application like a mobile app with successful attack data and see how the application reacts. In case of anomalies, you have to look into the machine-executable code” softScheck further checks whether e.g. unwanted code is present (backdoors, Trojans etc.) and checks the conformity of design and implementation as well as implementation and executable code in conformity testing.

The issue is not to ward off the many attacks,” says Prof. Pohl, “but there is commercial and open software, which in turn could contain exploitable bugs.

We look at the points of attack of software, firmware and microcode itself.

Software checked and hardened by softScheck can be found in such diverse products as smart meter gateways, the automotive emergency call system eCall, blockchain implementations, smart contracts, radar devices, clouds, industrial machine controls and sensors, food processors, medical devices and infrastructures.