Services relying on a white-box approach are preferred to identify security issues more efficiently than black-box assessments such as penetration testing or reverse engineering.

Technical activities listed below can fit easily in an agile context and are available whether the target is

They correspond to the Construction and Verification sections of the OWASP Software Assurance Maturity Model and match the Intelligence and SSDL Touchpoints of the Building Security In Maturity Model initiative.

Threat Modeling

  • Workshops to identify threats following STRIDE methodology
  • Prioritisation according to business risks
  • Definition of counter measures for selected risks

Security and privacy requirements

Definition of use cases to
  • protect the access to your business assets
  • guarantee the privacy for the end user
  • cope with Denial Of Service attacks

Design analysis

Workshops to validate how design is compatible with security/privacy requirements, with a strong focus on
  • Remote APIs (e.g authentication, confidentiality)
  • Data storage (e.g transculent databases)
  • Business logic running client-side vs server-side

Security and privacy features implementation

  • Recommendations on secure components/frameworks/libraries to be used
  • Cryptographic specifications (protocols, algorithms, parameters, etc …)
  • Implementation of those features with the development team

Code review

  • Targeted manual review of critical code (e.g payment or login features)
  • Support for the deployment of Static Analysis Security Testing (SAST) tools
    • triage of findings
    • custom rules matching technological stack
    • integration in SDLC and awareness workshops for developers

Security and privacy testing

  • Definition of abuse cases from security and privacy requirements
  • Implementation of automated security/privacy tests for cost-effective scenarios
  • Manual testing of remaining abuse cases (in an environment not hardened yet to have an idea of the software robustness by itself)

Other services tailored to your security needs can be provided on demand.