X41 Frequently Asked Questions
The following are common questions and answers about our services:
Source Code Audit
What is a source code audit?
X41 security consultants will check the source code and design of your application for potential security issues.
Do I need to give my source-code to X41?
No, you don’t need to give your source code to X41. A code audit can be conducted on-site, if requested. The testers will only use systems provided and controlled by the customer to inspect the source code.
How is a code audit conducted?
A code audit is conducted in several steps. First of all X41 will develop a threat model together with you and is introduced to the code-base. It defines all threats which are relevant for the application and establishes a baseline for all further steps. In a second step, the reviewers will read through the code and identify security issues. They are documented and explained to the developers in daily briefings.
What are the benefits of a code audit?
Code audits help to discover more issues than a penetration tests during the development of the product. They do not only uncover direct vulnerabilities, but also design flaws, violations of best practices, and dangerous coding patterns that might cause severe vulnerabilities in the future. Additionally the security knowledge of your developers is substantially increased. A detailed technical report including a management summary will describe each issue along with CVSS score, CWE, and recommendations how to remediate and fix the discovered issues.
What programming languages do you review?
Do you also review binary components and libraries?
X41 will perform binary analysis and reverse engineering on components that are not available in source if necessary and requested.
Can you split the report into sections for my different departments?
This is no problem, just provide us with details on how we should sort the results.
Can you provide the findings in CSV/XML/… format?
Of course, just provide us with details on how the results should be structured.
Is dynamic or static analysis part of a code audit?
This depends on the type of project and if it is requested, we will adapt at your needs to provide you with the services you require. X41 has experience with a wide range of static analysis techniques and tools. Also dynamic techniques such as trace analysis and fuzzing can be employed to uncover vulnerabilities.
Can you enter the issues directly into our bugtracker?
Augmenting a technical report or even as an alternative, the X41 reviewers can report the issues directly to your development bug-tracking systems. This helps to distribute security knowledge directly to the developers and speed up fixing of the discovered issues.
How long does a code audit take?
Time needed for a review highly depends on the amount of source code, complexity, and the depth of the audit. Please contact us directly and we will work out the right scope and sizing for your project with you.
How can I prepare for a code audit?
Good documentation and a supportive developer knowing the project may speed up code audits a lot. If you can provide documentation regarding the security assumptions and aspects of the project, you will make the X41 reviewers happy. Also removing dead code before the audit will avoid unnecessary review time and costs.
What equipment do you need during the code audit?
We like to work with the same environment as your developers. If you are working with Microsoft Windows, a cygwin environment would be helpful.
Do you need access to developers for the entire time of the code audit?
Not for the entire time, but it is helpful to be able to ask one of the developers questions and report high severity issues during the code audit. Usually this takes less than 30 minutes per day.
What is a penetration test?
A penetration test is an attack against a network or service, with the intent to discover the same flaws and using the same techniques that a real attacker would use.
How long does a penetration test take?
This highly depends on the systems and services tested, but usually at least 10 person days are required to provide meaningful results.
What do I need to provide during the test?
An emergency contact in case severe security issues are discovered or systems stop working. Penetration testing can be conducted on live production systems, staging systems, and testing environments. The choice highly depends on what results are expected from the test and what the intention is. In any case X41 requires a backup of all sensitive data in order to avoid unintentional data loss.
How do we communicate securely?
X41 prefers to communicate in person, via GPG/E-Mail, or using secure messengers such as Signal or Wire. We will adapt to your needs.
What are the results of a penetration test?
A detailed report including a management summary is delivered after the test. It describes each issue along with CVSS score, CWE, and a solution advice.
Can you enter the issues directly into our bugtracker?
If this is your preferred way to work, X41 will support you and enter the issues directly.
What is the difference between white-box, grey-box and black-box testing?
Testing modes differ in the information the testers receive. During a black-box test, the testers are only provided minimal information, while a white-box approach provides the maximal information and full access to all systems. A grey-box test is a compromise between the other two. Only information that the attacker could gain using increased time effort is revealed to the testers.
Do you perform retests to see if we implemented the mitigations and fixes properly?
A retest is conducted after the initial penetration test. It ensures that all fixes and mitigations work as they should.
What is the difference between a penetration test and vulnerability scanning?
Vulnerability scanning is fully automated and does not uncover all issues and generates false positives (reported security issues which are no real threat). A penetration test is a combination of manual and automated tests and is therefore able to uncover underlying issues and reduces false positives.
How much experience do you have in penetration testing?
X41 security consultants have 10 years and more of experience in security consulting, development and penetration testing.
Can you perform a complete black box test, where you get no information from me besides my company name?
This is possible, but X41 needs to introduce an additional step in the process. For legal reasons you need to confirm if the tested hosts belong to your company, so we do not break into the servers of a third party by accident.