SERVICES > Code Audit

A security code audit identifies security issues in the design or implementation of your application. It is able to identify issues that are hard to identify during a penetration test and can be considered a special form of a full white-box penetration test.

The code audit is conducted in several steps. Starting with an initial design workshop, the reviewers of X41 are briefed by the developers about the design of the application and are given a walk-through of the code base. Following this, a threat model is developed jointly in order to define a baseline of what counts as a vulnerability in the applicable context. This also helps testers to focus on specific parts of the application that might be especially vulnerable regarding the defined threats.

The reviewers subsequently conduct a code review using automated and manual methods. Here, the main focus is on the manual review making full use of the expertise and experience of the reviewers in that area. All findings are discussed with the developers directly during the review in order to provide feedback, eliminate false positives and generally strengthen security awareness. X41 performs source code audits remotely or on-site, based on your requirements.

For special assignments, we can perform the code audit on-site, on your hardware so the source code never leaves your control.

All technical findings are reported with a technical severity according to the CVSS and CWE scoring systems. If applicable, solution advice will be given on how to fix each of the discovered vulnerabilities. An example report can be seen here or here.