Device Security

QuEST has the capability to secure devices across various form factors by leveraging the building blocks of security:
 

TrustZone enabled chipset

• Hardware security
• Root of trust implementation

ARM TrustZone firmware

• Boot services
• Runtime services

Trusted Execution environment OS

• Client libraries / TEE APIs (enable writing of trusted applications)
• Drivers, Trusted OS

Client applications

• TEE client (Rich OS)
• Trusted applications (Secure world)

Securing data-at-rest and in-transit requires comprehensive implementation of security provisions in place. QuEST helps its customers achieve data security through robust implementations such as:
 

FIPS Certification Services

• Develop / certify (with NIST lab) crypto library
• Enable FIPS module in OpenSSL stack

DRM Services

• Enable OMD-DM 1.0/2.0
• Enable / develop services on 3rd party DRM solution i.e. Wide Vine, SafeNet (Synaptics), PlayReady

White Box Cryptography

• Protection of applications, keys, and data
• Enable customers on the usage of White Box cryptography

Rights Management Services

• Enable Microsoft Rights Management Services on third party document management (for example, EMC Documentum)

Code security ensures that the solution is robust in all environments. It is extremely important to know not only what the user is doing but also who the user is and whether the user is allowed to do that. That is why authentication & authorization is so important. QuEST has extensive experience in protecting user’s private data by implementing various authentication & authorization protocols. Some of them are as follows:
 

SAML / OAUth identity management service

• Enable compatibility with multiple SAML 2.0 / OAuth identity service i.e. Octa, Ping Identity, Azure, Amazon, Google

Single Sign On

• Services to develop SSO capability on web and mobile (if identity service is owned by the customer)

PKI Infrastructure

• Services to build PKI infrastructure
• Integrate solutions with 3rd party PKI infrastructure

2nd factor authentication

• Capability to develop 2nd factor authentication services using HOTP, TOTP, OCRA protocols

Certificate & compliance ensures adherence to minimum security requirements for cryptographic modules in products and systems. X` is to promote compliance and ethics through the certification and QuEST has implemented following certifications for various customers:
 

Some of the certifications that

• NIAP Common Criteria certification
• DoD STIG certification
• FIPS 140-2 certification
• NSA CSfc Certification
• CAVP – crypto algorithm testing

With the ever present security threats, it is extremely important to ensure that the product or solution can withstand it. One must test their service to make sure that is it secure. QuEST designs security into its customer’s service during the discovery phase and then tests continuously as we build, not as a one-off check. We perform a plethora of tests to endure the solution is secure. Some of the key tests are as follows:
 

• Attempt to reverse engineer the OS Code (including de-obfuscating APKs, etc.)
• Testing for Common Libraries and Fingerprinting
• Enumeration of Application Known Controllers
• Information Disclosure by logcat
• Hidden Secrets in the Code
• Storing Sensitive Data on Shared Storage (exposed to all applications without any restrictions)
• Cryptographic Based Storage Strength
• Content Providers Access Permissions
• Content Providers SQL Injection
• Privacy and Metadata Leaks
• User Propriety Data in logcat
• Technical Valuable Data in logcat
• Exposed Components and Cross Application Authorization
• Permissions & Digital Signature Data Sharing Issues
• Clipboard Separation
• Public Intents and Unauthenticated Data Sources