SERVICES > AppSec / Code Audits
AppSec focuses the security efforts on the individual application and ensures that each application is secure on its own. This includes the design and implementation of software.
At X41 we regularly perform security source code audits to identify weaknesses in software products before attackers are able to exploit them. These are usually performed closely with the developers, to ensure that X41 gets familiar with the code base quickly and the developers properly understand the issues identified.
A security code audit identifies security issues in the design or implementation of your application. It is able to identify issues that are hard to identify during a penetration test and can be considered a special form of a full white-box penetration test.
The code audit is conducted in several steps. Starting with an initial design workshop, the reviewers of X41 are briefed by the developers about the design of the application and are given a walk-through of the code base. Following this, a threat model is developed jointly in order to define a baseline of what counts as a vulnerability in the applicable context. This also helps testers to focus on specific parts of the application that might be especially vulnerable regarding the defined threats.
The reviewers subsequently conduct a code review using automated and manual methods. Here, the main focus is on the manual review making full use of the expertise and experience of the reviewers in that area. All findings are discussed with the developers directly during the review in order to provide feedback, eliminate false positives and generally strengthen security awareness. X41 performs source code audits remotely or on-site, based on your requirements.
For special assignments, we can perform the code audit on-site, on your hardware so the source code never leaves your control.
All technical findings are reported with a technical severity according to the CVSS and CWE scoring systems. If applicable, solution advice will be given on how to fix each of the discovered vulnerabilities. An example report can be seen here or here.
