Malwarebytes

Background

Anti-Malware provider Malwarebytes has quickly become a standard in the consumer marketplace for providing malware protection that stops sophisticated malicious software infections typically missed by traditional antivirus solutions. In fact, in just three years, Malwarebytes Anti-Malware reached critical mass after being downloaded by over 200 million consumers worldwide, causing the corporate world to demand a Malwarebytes anti-malware solution for the enterprise.

However, Malwarebytes wanted to make sure that its Malwarebytes Enterprise Edition (MEE) was hardened to withstand the type of attacks a security product would endure when released into the corporate marketplace. To do that, Malwarebytes turned to leading secure software development company Denim Group to provide a third-party security assessment to identify potential security weaknesses in the product before hackers did.

Key Business Challenge

Malwarebytes reached out to Denim Group because the company had earned a stellar reputation for not only testing the most complex applications, but for having extensive experience in building systems with critical security, compliance and performance requirements. Malwarebytes needed to have the confidence that Denim Group’s talented testing team would have the ability to identify critical design and architectural weaknesses as well as coding flaws in the Malwarebytes Enterprise Edition (MEE) prior to it being deployed into environments that might protect up to 50,000 customer endpoints.

As Malwarebytes Enterprise Edition (MEE) is a complex system consisting of several main components that include a web-based application as well as client-server modules, a customized testing approach needed to be created. Typically, a security assessment involves testing an application’s source code with a variety of automated tools to ensure the code performs properly. However, automated scanning would not do a sufficient job to instill confidence that the software would only do exactly what it’s supposed to do and nothing more. A manual testing procedure also needed to be implemented as well to properly assess and find application authorization issues that defined what a user is entitled to access after they log into the application. The approach Denim Group implemented to test the sophisticated architecture of MEE needed to look at the security of individual modules but also look for the potential weaknesses and vulnerabilities related to the interaction of these modules and the behavior of the system as a whole. Denim Group’s experience building systems such as these helped the company to create a comprehensive assessment methodology that would properly push the application to its limits to ensure its security features.

Because of the complexity of the MEE application, a one-size-fits-all testing approach based solely on automated scanners would not be effective. Denim Group leveraged its deep systems development knowledge to create a customized test plan that allowed for the thorough examination of the different components in the system. Building a customized testing plan for an application consists of identifying all parts of the system and determining what testing approach or approaches will be most effective for testing each part of the system as well as identifying the correct mix of automation and manual analysis. This approach goes beyond the simple use of automated scanning tools and is required for thorough testing of complex, modern applications.

Denim Group Solution

Initially, the application architecture was outlined and this was used to create a threat model for the system as well as an overall assessment plan specific to the unique security requirements of the MEE application. Then, automated static analysis tools were used to examine the application source code to identify common coding flaws such as format string exploits, race conditions, memory leaks and buffer overflows that lead to security vulnerabilities. In addition, various dynamic testing methodologies were applied in an attempt to identify different classes of vulnerabilities. This comprehensive approach leveraged a combination of automation as well as expert analyst review and testing methodologies in order to best identify issues across the spectrum of potential weaknesses and vulnerabilities that can be present in such a complicated system. The results of the testing were written up in a report for Malwarebytes executives and presented to Malwarebytes developers with a discussion of the most expedient and effective approaches and recommendations to remediate potential issues.

ROI Value Statement

As a result of Denim Group’s thorough security testing methodology that analyzed MEE’s most critical system components, issues found during testing were addressed in a timely and thorough manner, making the Malwarebytes enterprise software much more resilient prior to product launch. It also provided Malwarebytes’ leadership with the confidence and third party validation they needed to release a security product into the market because as a leader in the Anti-Malware space, hackers find Malwarebytes a particularly attractive target. With Denim Group’s help, Malwarebytes can focus on building the features needed to make Malwarebytes Enterprise Edition a solid addition to the layered security approach being employed by today’s organizations to ensure employees, customers and corporate date remains safe and secure.