Centrifuge IoT Security Platform VS. VERACODE and Other Static Code Analysis Tools

April 18, 2017

The Centrifuge IoT Security Platform (CSP), built by former US intelligence offensive cyber operators at Tactical Network Solutions, automatically reverse engineers compiled firmware images to pinpoint security vulnerabilities and holes. It works by extracting the complete root filesystems within firmware images, deconstructing each file down to the byte code level and generating detailed reports revealing vulnerable functions calls.

How does CSP compare to VERACODE and other static code analysis tools?

  • CSP does not need or require access to source code
  • It's able to reveal private and public crypto keys
  • It can identify zero-day vulnerabilities
  • It leverages both static and dynamic analyses
  • It points to exact binaries, and the function calls within those binaries, which could be exploitable

Conversely, according to OWASP, "Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code [not complied firmware images] to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws."

With Centrifuge's ability to find zero-day vulnerabilities, it performance remains at the bleeding edge.

How do companies and organizations use Centrifuge?

Companies use CSP firmware evaluations to quickly identify vulnerabilities that are introduced by insecure coding practices, linking to flawed open source libraries or by the compilation process itself. Further, CSP protects manufacturers when they use vendor-provided firmware images in their products and don't know if they're free from vulnerabilities that could - once integrated into their final product - put them at risk for attack and embarrassment.

CSP firmware evaluations can also save significant time and money for governments, intelligence agencies, militaries and their contractors, allowing them to start from higher ground when looking for vulnerabilities in a target's firmware.

The Centrifuge IoT Security Platform is the clear roadmap to vulnerability discovery just before production and the final step in the embedded firmware development life cycle.

Are you interested in a personal tour of CSP? Request a demo here.