Carve performs the following services to help organization address the security of devices, applications, networks, and IoT and traditionally networked ecosystems. • Penetration Testing (mobile, embedded, hardware, web application, net- work) • Source Code Review • Secure Product Design Advisory • Architecture Security Review • Threat Modeling • Risk Assessment

• Hidden JTAG and serial port discovery • Firmware extraction via JTAG • Firmware extraction via serial or networking port • Hardware modification to activate access ports hidden by developers • Hardware glitch attacks to expose poorly tested failure modes that may yield elevated access • Desoldering on-board storage devices for off-board reading and modification • Add on-board “taps” to sniff and potentially modify communications between CPU and storage • Analysis of semiconductor reference PCB design and software load to find exploitable security faults that may have been “re-used” by the OEM • Audit and defeat “secure boot” protections.

• Audit file system to discover targets of interest (sensitive files, binaries with network/RF attack surface) • Audit file system to discover mis-configured file permissions • Audit application function to find applications which modify sensitive files (i.e. the password file) and fail to validate and sanitize attacker controlled input

• Manual grey- or black-box web application and API testing • Android and iOS penetration testing (device/operating system/application) • Manual & tool assisted code review • Host and network service discovery • Host and cloud network design and configuration reviews • Automated vulnerability scanning • Open Source Intelligence Gathering

Organizing your business so that security is part of the inherent structure, instead of an afterthought, is a necessary change to make if you want to keep your products and employees protected. •We integrate our security experts within your business so that communication is streamlined between employees and nothing falls through the cracks • We provide education and insight to your employees, syncing the engineering and business teams with security as a priority