The Centrifuge IoT Security Platform (CSP), built by former US intelligence offensive cyber operators at Tactical Network Solutions, automatically reverse engineers compiled firmware images to pinpoint security vulnerabilities and holes. It works by extracting the complete root filesystems within firmware images, deconstructing each file down to the byte code level and generating detailed reports revealing vulnerable functions calls.
How does CSP compare to VERACODE and other static code analysis tools?
Conversely, according to OWASP, "Source code analysis tools, also referred to as Static Application Security Testing (SAST) Tools, are designed to analyze source code and/or compiled versions of code [not complied firmware images] to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws."
With Centrifuge's ability to find zero-day vulnerabilities, it performance remains at the bleeding edge.
How do companies and organizations use Centrifuge?
Companies use CSP firmware evaluations to quickly identify vulnerabilities that are introduced by insecure coding practices, linking to flawed open source libraries or by the compilation process itself. Further, CSP protects manufacturers when they use vendor-provided firmware images in their products and don't know if they're free from vulnerabilities that could - once integrated into their final product - put them at risk for attack and embarrassment.
CSP firmware evaluations can also save significant time and money for governments, intelligence agencies, militaries and their contractors, allowing them to start from higher ground when looking for vulnerabilities in a target's firmware.