MEFORMA Security Evaluation Methodology
Even software engineers tend to forget about the fact that the burden of the security incidents we experience today stem from defects in the code – actually bugs – committed by them. Constrained by resources, many software vendors ignore security entirely until they face an incident, or are tackling security just by focusing on the options they think to be the cheapest – which usually means post-incident patching and automatic updates. Security, however, should be applied holistically, and should be interwoven into the entire product development lifecycle. Eliminating security problems is challenging, however; while engineers have to be vigilant and find every single bug in the code to make a product secure, an attacker only has to find a single remaining vulnerability to exploit it and take control of the entire system.
This is why security evaluation is so different from functional testing, and why it needs to be performed by a well-prepared security expert. In this paper we will tackle the challenge of security testing, and introduce our methodology for evaluating the security of IT products: SEARCH-LAB’s MEFORMA was specifically created as a framework for commercial security evaluations, and has already been proven in more than 50 projects over twelve years.