Security

We at BitWe at Bittium have dedicated ourselves to keeping up with the latest security requirements, standards, protocols, and legislation.

Person interacting with a touchscreen, with security icons like a lock, smartphone, and wireless symbol overlay.

Information Security

The world is increasingly dependent on software. And the software we depend upon is increasingly complex. It changes too, at a fast pace: monthly, weekly, and sometimes even daily.

Complex software products and networked business infrastructures make up a labyrinthian environment wherein to mitigate vulnerabilities. The overall attack surface – the many points at which an attacker could enter a software environment – are numerous. They create an enormous challenge for security.

While considering the user, extra security hoops can seem an imposition. Bittium exists to make sure that you do not have to compromise security while striving for a seamless user experience. We know the ins and outs of the security and regulatory requirements, and carry this expertise over to our own and our customers software or hardware products.

Securing Hardware

There are numerous different standards and requirements for hardware and security, such as Tempest, common criteria and FIPS-140-2. At Bittium, we have developed a process and implementation for secure hardware. It is to fulfill and go beyond these common requirements, at the present and in the future.

Bittium’s secure and systematic hardware design process includes:

Bittium Tough Mobile product family, used by governmental agencies and enterprises, is a showcase example of our expertise in secure hardware design.

Securing Software

We employ the Defense in Depth (DiD) approach. This means defenses are implemented, over different layers of the software and at all phases of the product development, to eliminate single points of failure.

Software Design Phase

Software design starts with threat-modeling. Early on, security flaw analyses are run to spot security risks in the software architecture to avoid expensive re-designs later. At the system level design phase we concentrate on high-level mitigations to generic threats, such as anti-tampering features. And at the component level, our focus is on input validation practices.

We also rely on Taint analysis, which marks untrusted or sensitive data and tracks its propagation and respective derivatives within the system. The usefulness of Taint is two-fold: it ensures that untrusted data do not cause malicious actions. It also guards against sensitive data not getting leaked outside of the system and making sure such data is erased when not needed.

We make sure that the security foundations are solid and neither the system nor its components are open to vulnerabilities when going forward in the software development process.

Software Implementation Phase

In the implementation phase, a hierarchical structure is applied to create secure code. At the top level of the structure, input validation is applied through whitelisting. This means that access is granted only to specifically identified entities rather than going by the principle of least privilege, which is used in blacklisting.

At lower levels, where abstraction level decreases, more detailed guidance is defined from client-server architecture considerations (e.g. communication security, authentication, and access control) down to standard coding practices (e.g. Java and C language-specific). If the system under development includes 3rd party open source software, we use open source vulnerability databases, such as CVE, and hold rigorous reviews to check against any back-doors. Legacy source codebase security is kept up to date and use-automated tools for static code analysis to help identify invalid pointer references, uninitialized variables, buffer overruns as well as other security flaws.

Software Testing Phase

The software implementation phase includes many security self-assessment methods. Primarily attention is given to the scope of the software component. Also, manual integration testing is needed to take into account interactions between the different software components – to check the networking and access control of shared resources.

Coverage analysis tools ensure that the entire source codebase gets tested. Fuzz testing goes through modified versions of valid inputs to the tested interface and finds conditions as invalid input handling, memory leak, or overload scenarios. Coverage analysis is essential for enabling efficient fuzzing because it enables the selection of a comprehensive and non-overlapping set of valid inputs that will be modified during fuzz testing.

Software Releasing and Maintenance Phase

From the security viewpoint, the software is ready for release when all its security issues are tackled. From the release on, maintenance takes the stage and protecting the software from unwanted changes is essential until the end of the software lifecycle. Secure building, integrity protection, secure signing, and rollback prevention are the main measures to be taken. All of these protections are included also in the swift over-the-air (OTA) updates, which can be run to patch e.g. third-party software vulnerabilities.

Secure Mobile Communication

With the rise of connected mobile devices it becomes harder and harder for organizations to ensure security. The security of services can potentially be threatened whenever the device enters a new network, especially in public places – such as airports, trains etc. Both the hardware and the software are at risk to be tampered with and applications or updates can cause additional threats.

While the big smartphone manufacturers and key operating system providers try to enhance their security measurements, they are no comparison to specifically designed secure phones.

The use of LTE technology, smartphones, and applications continue to increase in special verticals, creating demand for secure LTE smartphones such as Bittium´s own product platform and complementary security solutions.

As a world leading technology provider for secure mobile communications, we are mastering the Android ecosystem with our Bittium Tough Mobile 2 product portfolio.

Secure Communications & Connectivity

Bittium Tough Mobile 2™

Designed and built for professionals with the highest security requirements.

Bittium Secure Suite™

A device management and encryption software that complements secure Bittium Tough Mobile smartphones with a full and scalable set of software and services.

Bittium Secure Call™

Secure voice, video and messaging application with end-to-end encryption.

Bittium SafeMove® Mobile VPN

A leading remote access software solution for providing always-on, secure and seamless connectivity to the organisation´s information systems regardless of time and place.