We use programming language X, are you skilled in that by Codean?
We need a penetration testing report for my customer, do you provide this?
Yes, we provide you with a report that clearly present the state of your security. This report is different from a traditional penetration testing report. We believe these traditional reports have too little technical descriptions for the developers to mitigate vulnerabilities, while having too much technical information for your management and customers. We provide the technical descriptions of vulnerabilities directly in your issue tracker. That way, we can cut down on the technical information in the monthly reports making reports much more useful for you and your customers.
Whey you use our Continuous Review service, we can provide a report any moment you need it: because we work continuously on your security.
We host our source code on our own premise, is this a problem?
This is not a problem. We access your source code just like your software developers. Even if your software developers need a VPN to access your repositories. A central server that can only be access through a strong Virtual Private Network (VPN) will reach out periodically to your source code hosting solution and retrieve a copy of the repositories that should be analyzed. This central secure location is used by our ethical hackers.
How do you keep my source code safe?
We understand how important your Intellectual Property (IP) is. Therefor we protect your source code both through contractual agreements and technical systems. Before we ever see your source code, we sign a bi-directional NDA with you that includes all our employees. From a technical point of view we access your source code just like your software developers. However, a copy of your source code is stored on servers that can only be access over a strong Virtual Private Network (VPN). As such, our employees have to first access this VPN before they can see your source code. We have build our review environment in such a way that your source code is never copied to other machines (including ones from our employees).
Isn't a 'blackbox' approach more effective because it mirrors a criminal hacker?
Our security analysts / ethical hackers have a lot of experience in actually attacking environments, they have the Offensive Security Certified Professional (OSCP) certification. We perform what we call a 'virtual penetration test'. While analyzing potential issues in your source code, they envision how an attack would actually look like from the outside. This is factored into the vulnerability we report to you. One big issue we see with traditional (blackbox) penetration tests is that they see too little. They can only see the outer walls of your solution, and more obscure issues can therefore stay hidden. We can see and correlate potential vulnerabilities throughout the complete source code, which enables us to give you a more complete view of vulnerabilities present in your solution.
Is Codean certified?
At this moment we are not certified. However, we have a lot of experience working with ISO/IEC 27001 and to some extend ISO 9001. Therefor, we are are actively structuring our business and technology around these standards. This will enable us to obtain official certification more easily when we apply in the coming year.