We record, compile and analyze evidence in order to conclude whether a system uses resources efficiently or if it presents vulnerabilities that a potential attacker could take advantage of to perform non-permitted actions. We perform two main types of audits: static code validation and security analysis.

Code validation

Through specialized tools, we analyze the source code to detect malpractices, duplicate or dead code, incorrect business logic, high cyclomatic complexity, incidences in control structures, etc ...

The launch of these tests is scheduled on a continuous integration server to have a history of executions and an overview of the current state. The objective is to have information to take actions with a view to continuous improvement as well as putting into production a product with a higher quality code than the previous version.

Security analysis

Authentication, Authorization, Code Injection, Cryptography ... Here are some of the concepts that are taking place more and more as attacks on online systems grow exponentially.

We provide an overview of the product status by segmenting the audit in the following phases:

Code Analysis

A static code review allows us to detect defects such as displaying sensitive information in log files that can be accessed.

Business logic

We send erroneous requests, we verify the correct validation of the parameters, the integrity of the data, etc.

Server securityv

We check behavior against SQL injections, improper file uploads, denial of service behavior...

Customer Security

We check URL redirects, use of cookies or malicious HTML injection so that the integrity of the system is not affected.

Other Vulnerabilities

Multiple account sessions, server error pages, password strengths, or non-destructive credentials are an example of other entities that are poorly implemented and could potentially cause a client security problems.