Application Security

As a codebase grows its complexity increases exponentially. As complexity is the enemy of security, it’s hard to know what issues may creep up. We help discover vulnerabilities and identify the squishy spots in your application using real-world research and techniques most likely to be used by a skilled attacker.

We can better identify subtle vulnerabilities by thoroughly reviewing your source code. This additional context greatly improves vulnerability identification yield in an application penetration test. Unlike an attacker we perform our assessments under a tight time constraint. Code review allows us to work better alongside developers and offer improved remediation recommendations.

We Assess

Application Software

Web Applications

Server-side and client-side code for a web application.

Mobile Applications

Applications that run on iOS and Android.

Web APIs

REST, GraphQL, Serverless, and Microservices.

Web Applications

Web applications are the primary medium by which we interact on the internet. We review both server-side and client-side applications for security vulnerabilities. Our consultants have worked with many of the popular languages and frameworks.

We closely examine:

  • Authentication & Session Management
  • Authorization & Business Logic
  • Data Handling
  • Input Handling
  • Browser Security

Mobile Applications

Mobile platform APIs and security models are constantly evolving and we help make sure that your application is up to date on best practices. We perform security assessments for mobile applications that run on iOS and Android.

As part of an assessment we focus on:

  • Transport Security
  • Data Storage & Privacy
  • Cryptography & Credentials Storage
  • Permissions
  • Logging & Exception Handling

Web APIs

APIs are the backbone of the modern web. We review a wide variety of Web APIs for security vulnerabilities.

Some common ones we work with are:

  • REST
  • GraphQL
  • Serverless (Cloud Functions/Lambda)
  • Microservices

our process

Methodology

Our application and infrastructure assessment methodologies are provided below. These documents describe our entire assessment process end-to-end. We're transparent; we make our process simple and clear to those who have never undergone a security assessment. For those familiar with security assessments, these documents give insight to nuances in our approach.

1

Pre-engagement

Establish the goals and scope of the project.

2

Access

Validate test environment, access, and configuration.

3

Testing

Perform tool-assisted manual security assessment of the targets in scope.

4

Post-engagement

Deliver and present the assessment results and remediation recommendations.