How can you know if a malicious developer has installed a backdoor into your application? A blackbox (no source code) Penetration Test is unlikely to find backdoors. Furthermore, Penetration Testers and Security Teams are at a great disadvantage against real attackers. Real attackers have no scope limitations, no time or budget constraints and no report to write. If you pay for a 5 day pentest, the team or company you hired only has that time to review your security and write a report about what they find. Some security vulnerabilities have only been found after many years of security scrutiny (i.e. Shellshock took about 25 years , Dirtycow around 9 years , etc.), a real attacker can review the security implications of your application, its dependencies and technology stack at a level of depth that a short pentest will just simply not allow. In this context, the Verizon Data Breach Investigations Report for 2019 found that "Organized criminal groups were behind 39% of breaches" and "Actors identified as nation-state or state-affiliated were involved in 23% of breaches"
A code audit brings balance to the force and puts penetration testers and security teams at a much better position to use their time more effectively. They have less time than real attackers, but they have the source code so they can review the security of the application much more efficiently. In addition to this, some security issues can only be found via code audits. Furthermore, code reviews are the only way to effectively find backdoors in your applications, which malicious developers or attackers might have introduced. Another advantage of code audits is that mitigation guidance can be better tailored for application developers, we can let you know exactly the affected file and the lines of code where the problem lies and propose ways to fix it.
Mobile/Desktop App Penetration Test and/or Web App Penetration Test: The code alone sometimes leads to suspected vulnerabilities where none are present. By combining a Code Audit with a Penetration Test, Penetration Testers combine the greater insight from the code with the confirmation of security issues at runtime, this allows to more accurately determine if a security vulnerability is exploitable or not and hence provide you with more value for money: Greater code coverage with no false positives or unconfirmed issues. In addition to this, certain vulnerabilities may only be found at runtime, once all your dependencies are loaded together with the application.
We do not lock ourselves into any particular list and will review your security from the perspective of a real attacker, using manual testing techniques and also automation where needed, but in a controlled fashion and always with your permission. That said, our code audits typically cover the OWASP Code Review Guide, and provide adequate coverage of the OWASP Top 10, OWASP Mobile Top 10, OWASP Mobile Security Testing Guide and the OWASP Testing Guide tests as applicable to the target application. Some examples of this are public. We focus on high impact application areas to ensure that critical issues are identified and subsequently eliminated. However, we will always tailor the test to meet your specific needs, for example, maybe your threat model is different and you are worried about a different type of attacker or what your application is trying to protect is simply something not standard, we can help you with that.
Simply contact us, let us know what you need to test. We will revert with some questions to understand the scope, schedule the test and tailor the test to meet your needs, for free. If you want to proceed, we will send you an offer for signing and coordinate the steps together from there.