The following are common questions and answers about our services:
X41 security consultants will check the source code and design of your application for potential security issues.
No, you don't need to give your source code to X41. A code audit can be conducted on-site, if requested. The testers will only use systems provided and controlled by the customer to inspect the source code.
A code audit is conducted in several steps. First of all X41 will develop a threat model together with you and is introduced to the codebase. It defines all threats which are relevant for the application and establishes a baseline for all further steps. In a second step, the reviewers will read through the code and identify security issues. They are documented and explained to the developers in daily briefings.
Code audits help to discover more issues than a penetration tests during the development of the product. They do not only uncover direct vulnerabilities, but also design flaws, violations of best practices, and dangerous coding patterns that might cause severe vulnerabilities in the future. Additionally the security knowledge of your developers is substantially increased. A detailed technical report including a management summary will describe each issue along with CVSS score, CWE, and recommendations how to remediate and fix the discovered issues.
X41 will perform binary analysis and reverse engineering on components that are not available in source if necessary and requested.
This is no problem, just provide us with details on how we should sort the results.
Of course, just provide us with details on how the results should be structured.
This depends on the type of project and if it is requested, we will adapt at your needs to provide you with the services you require. X41 has experience with a wide range of static analysis techniques and tools. Also dynamic techniques such as trace analysis and fuzzing can be employed to uncover vulnerabilities.
Augmenting a technical report or even as an alternative, the X41 reviewers can report the issues directly to your development bugtracking systems. This helps to distribute security knowledge directly to the developers and speed up fixing of the discovered issues.
Time needed for a review highly depends on the amount of source code, complexity, and the depth of the audit. Please contact us directly and we will work out the right scope and sizing for your project with you.
Good documentation and a supportive developer knowing the project may speed up code audits a lot. If you can provide documentation regarding the security assumptions and aspects of the project, you will make the X41 reviewers happy. Also removing dead code before the audit will avoid unnecessary review time and costs.
We like to work with the same environment as your developers. If you are working with Microsoft Windows, a cygwin environment would be helpful.
Not for the entire time, but it is helpful to be able to ask one of the developers questions and report high severity issues during the code audit. Usually this takes less than 30 minutes per day.
A penetration test is an attack against a network or service, with the intent to discover the same flaws and using the same techniques that a real attacker would use.
This highly depends on the systems and services tested, but usually at least 10 person days are required to provide meaningful results.
An emergency contact in case severe security issues are discovered or systems stop working. Penetration testing can be conducted on live production systems, staging systems, and testing environments. The choice highly depends on what results are expected from the test and what the intention is. In any case X41 requires a backup of all sensitive data in order to avoid unintentional data loss.
X41 prefers to communicate in person, via GPG/E-Mail, or using secure messengers such as Signal or Wire. We will adapt to your needs.
A detailed report including a management summary is delivered after the test. It describes each issue along with CVSS score, CWE, and a solution advice.
If this is your preferred way to work, X41 will support you and enter the issues directly.
Testing modes differ in the information the testers receive. During a blackbox test, the testers are only provided minimal information, while a whitebox approach provides the maximal information and full access to all systems. A greybox test is a compromise between the other two. Only information that the attacker could gain using increased time effort is revealed to the testers.
A retest is conducted after the initial penetration test. It ensures that all fixes and mitigations work as they should.
Vulnerability scanning is fully automated and does not uncover all issues and generates false positives (reported security issues which are no real threat). A penetration test is a combination of manual and automated tests and is therefore able to uncover underlying issues and reduces false positives.
X41 security consultants have 10 years and more of experience in security consulting, development and penetration testing.
This is possible, but X41 needs to introduce an additional step in the process. For legal reasons you need to confirm if the tested hosts belong to your company, so we do not break into the servers of a third party by accident.