EMBEDDED SECURITY SERVICES


CONTACT US!

About us

Bitwise is a fresh and flat company focused on embedded security.
Our team comprises of developers and security analysts who have expertise
working with international key players in the smart card industry.
Bitwise is proud of its strong background on hardware and software security fields,
especially applied on banking and CC evaluations.

Our mission

Bitwise’s mission is to be part of the challenging  embedded devices sector. For this purpose we are focused on being at the helm of the latest attack techniques. 
Our consultancy services are tailored for smart card developers and testing laboratories. Building a tight relationship with our costumers to help them to meet their own production expectations is our highest priority.
Bearing the growth aim in mind, we know that the most important criteria is customer satisfaction. We would like to grow together with the customer offering our best service to succeed in projects.

What we offer

  • Technical knowledge and state-of-the-art analysis to anticipate problems and help the customer improve their products.
  • Creating an open and sincere work environment with the client
  • Flexibility to effectively adapt our business to the changing needs of our clients over the projects life-cycles.
  • Deliver work on time.
  • Knowledge in the different schemes and certification processes.

.

Lots   of companies fail to properly communicate the status of projects due to  the fact that their customer service department is hundred of  kilometers away from the technical specialists. In Bitwise you directly  deal with the  experts involved in your projects. This approach is easy,  fast and  reliable.

Pol Matamoros, Bitwise Security Analyst

 

Our Services

Quality and transparency are the basis of our service portafolio.
We want to be part of your team and
walk together with you to reach your objectives.
Download our brochure of services.

Common Criteria

We  have been conducting CC evaluations and consultancy since 2006 working   with international clients. We can help Common Criteria labs to face  the  workload peaks as external evaluators. We can also provide a   working framework to help developers to intermediate between labs and  generate a CC compliant documentation in order to speed-up the evaluation process.

Some of the evaluations that we have been involved in are: national ID card, e-Passport, HSM or signature devices.

 

EMV evaluations

Our engineers have a wide experience leading technical VISA, MasterCard, AMEX, Discover, EMV (including platforms) evaluations. Bitwise can provide services to accredited laboratories to conduct the source code review, filling the assets table and the vulnerability analysis, as well as performing side-channel attacks.

Our knowledge in these evaluations makes our services very valuable for smart card manufacturers to help them to integrate the required protection in their products from the very beginning of the developing lifecycle.

 

Development

Our team has experience working in HSM and smart card manufacturers company and also in security labs conducting payment and CC certification.

It provides a high added value to embedded device developers since we have a global vision and knowledge of the lifecycle of embedded devices.

We can help you at any phase of the process.

 

Training

We offer a wide range of training options for any company interested in acquiring knowledge in embedded security, Common Criteria or technologies like Javacard.

Understanding our clients needs encourages us to be open and flexible in order to provide the best fitted solution for our clients.

See more details in the Training section.

@FAQ

Benefit from our experience in the field of embedded devices.

We are planning to embark on a new project. Can you help us define its security requirements?
Bitwise can help you to produce a design that complies with the most demanding security standards.

We have designed a product but we do not know how to implement its security requirements. Can you help us?
Bitwise can be your development partner. Our developers create easy-to-read high-quality source code that you can include in your products.

We want to certify a product. Can you advise us on how to proceed?
Bitwise can execute a gap analysis to detect gaps in your product, site and procedures. We can thereby help you effectively to reduce the gap and deal with the certification laboratories.

We want to begin the certification process but the laboratory has asked us to send them great deal of documentation that we do not have. Can you do it for us?
Bitwise can draw up all the documentation for you and deal with any questions from the laboratories.

Our development team has never heard anything about secure coding or certification. Can you train them?
Bitwise has a complete set of training options: secure coding, Java Card, Common Criteria, EMV, etc. We can also prepare customised training programmes in line with your specific needs.

Skills

Common Criteria
  • Common Criteria 3.1r4
  • IC Protection Profile (BSI-CC-PP-0035-2007)
  • Signature Device Protection Profile
  • Javacard Protection Profile (ANSI-CC-PP-2010/07)
  • Machine Readable Travel Document PPs
Banking
  • VISA Chip Security Program (VCSP)
  • Mastercard Compliance Assessment and Security Testing Program (CAST)
  • American Express
  • Discover
  • EMVCo Security Evaluation (CPA/CCD)
  • EMVCo Platform Security Evaluation
Technology
  • Javacard
  • C language
  • Global Platform
  • Mobile Payment (USIMs and eSE)
  • Cryptography
Attacks
  • Side-channel
  • Fault injection
  • Software attacks
  • Malicious code

 

Our training program is the result of our experience giving security-focused trainings all around the world. They have been thought meeting all the client needs

Sergi Casanova, Bitwise Security Analyst

Training

Bitwise offer a wide range of traning solutions for security labs and developers

We have been giving Common Criteria trainings all around the world for several years. Common Criteria may suppose an overload of work for companies facing the first evaluation. Our trainings in Common Criteria are focused to help developers to understand and implement CC security requirements and also to help laboratories to train their team.

Basic training
  • Orden PRE/2740/2007 (Spanish framework)
  • History and differences against ISO
  • Common Criteria parts and basic usage
  • Understanding the ST
  • Security CC Model Format
  • Security Requirements Paradigm
  • CEM for evaluators
  • Comments on Protection Profiles

  • Orden PRE/2740/2007 (Spanish framework)
  • History and differences against ISO
  • Common Criteria parts and basic usage
  • Understanding the ST
  • Security CC Model Format
  • Security Requirements Paradigm
  • CEM for evaluators
  • Comments on Protection Profiles

Advanced training

This training focuses on the implementation and evaluation of the Security Assurance Requirements (SARs) from the evaluator point of view.

  • Security Target Evaluation (ASE)
  • Development (ADV)
  • Guidance Document (AGD)
  • Life-cycle support (ALC)
  • Testing (ATE)
  • Vulnerability Assessment (AVA)
  • Protection Profile Evaluation (APE)

This training focuses on the implementation and evaluation of the Security Assurance Requirements (SARs) from the evaluator point of view.

  • Security Target Evaluation (ASE)
  • Development (ADV)
  • Guuidance Document (AGD)
  • Life-cycle support (ALC)
  • Testing (ATE)
  • Vulnerability Assessment (AVA)
  • Protection Profile Evaluation (APE)

CC Practice
This training provides examples and exercises to practice how to model a product (ST) and solve different work units

This training provides examples and exercises to practice how to model a product (ST) and solve different work units

CC Site Visit
This training provides a full view of the CC and EMV 1 site visits minimum requirements and the evaluation procedure focused in the generation of a site audit report (SAR).

This training provides a full view of the CC and EMV 1 site visits minimum requirements and the evaluation procedure focused in the generation of a site audit report (SAR).

IC Protection Profile
This training provides a view on the PP-0035 for IC. It reviews the minimum requirements and different options for the products strictly following this Protection Profile. The training also describes the different phases and agents involved on the IC production.

This training provides a view on the PP-0035 for IC. It reviews the minimum requirements and different options for the products strictly following this Protection Profile. The training also describes the different phases and agents involved on the IC production.

Signature Devices
This training provides a view on the signature devices protection profiles, to understand different configurations provided by the profiles. Training is focused in evaluating a signature device like DNIe or CERES cards.

This training provides a view on the signature devices protection profiles, to understand different configurations provided by the profiles. Training is focused in evaluating a signature device like DNIe or CERES cards.

 

 

Javacard is the most used software technology that allows java applications to be run securely on smart cards and similar devices. It is very important to harden operating systems and applets to increase the level of security and successfully go through a certification phase. With our experience in developing and certification we offer several training options to developers and laboratories.
Javacard Basics

The training introduces the following concepts:

  • History and usage of Javacard in the industry
  • Introduction to Object Oriented programming languages
  • Java versus Javacard
  • Javacard security model
  • Persistence model
  • Runtime checks, applet states and transaction mechanisms
  • Overview of the most used Javacard APIs such as Util or Cipher class

The training introduces the following concepts:

  • History and usage of Javacard in the industry
  • Introduction to Object Oriented programming languages
  • Java versus Javacard
  • Javacard security model
  • Persistence model
  • Runtime checks, applet states and transaction mechanisms
  • Overview of the most used Javacard APIs such as Util or Cipher class

Javacard Advanced

The training explores in detail the following advanced topics:

  • Bytecode interpretation
  • Stack over and under flow checks
  • Transaction mechanism
  • Firewall and Shareable Interfaces
  • Objects representation
  • Native implementation of Javacard methods
  • CAP file structure
  • Javacard references and on-board linking process

The training explores in detail the following advanced topics:

  • Bytecode interpretation
  • Stack over and under flow checks
  • Transaction mechanism
  • Firewall and Shareable Interfaces
  • Objects representation
  • Native implementation of Javacard methods
  • CAP file structure
  • Javacard references and on-board linking process

Javacard application code review

The training provides a methodology to find and analyse security flaws and countermeasures at applet level. At the same time, several tools to make this task easier are also explained.

The training provides a methodology to find and analyse security flaws and countermeasures at applet level. At the same time, several tools to make this task easier is also explained.

Javacard platform code review

The training provides a methodology to find and analyse security flaws and countermeasures at Javacard platform level. It explains the differences between a defensive and a non-defensive Javacard platform implementation.

The training provides a methodology to find and analyse security flaws and countermeasures at Javacard platform level. It explains the differences between a defensive and a non-defensive Javacard platform implementation.

Malicious applets

The training introduces the different types of malicious applets:

  • Verified malicious applets
  • Ill-formed applets
  • Mutant applets

The training introduces the different types of malicious applets:

  • Verified malicious applets
  • Ill-formed applets
  • Mutant applets

 

 

We are flexible and we want to adapt to our client’s needs. We have a solid knowledge in several fields

  • Card threats
  • Global Platform
  • Side-Channel & Fault injection attacks techniques and countermeasures
  • Embedded C basics
  • Embedded C for security evaluators
  • Evaluating MTRD devices
  • Payment Applications
  • Mobile Payment (USIMs and eSE)

Some interesting facts about us

5
Linux users

1
Members of heavy bands

2
FC Barcelona supporters

14536
Kilometers tracker

Customers

Following you can find our happy clients.

riscure-logo
realsec-logo
redsys-logo
ebv-logo
circutor-logo
gide-logo

Contact us

Don't hesitate to get in touch with us
We would love to discuss your projects

We are in Barcelona

You can call us on (+34) 668 81 57 90

or send us an e-mail at info@bitwise.cat
Download our gpg keys.

Legal advice