You want your software to be secure
You are great at building awesome software products, but making them secure is a different ballgame altogether. Your customers know, because they ask for a pentest or vunerability scan.
We believe that a source code review enables us to find the most vulnerabilities. However, we see the value in pulling of an actual hack. So our security analysts also verify vulnerabilities in a testing environment.
Software security analysis
Our security analysts help software developing companies with a one-off pentest, just like a regular pentest but more accurate for a lower budget. However, we can do more.
One of our software security engineers can become a part of your team and integrate security in your agile way of working. To do code review after each commit, act as a sparring partner for secure design choices, and share best practices.
Standard pentest reports are lengthy, too complex for management, and too superficial for developers. We improve that by sending issues found by our security analysts directly to your issue tracker (GitLab, Jira, etc.).
Of course we still provide a 'standard' pentest report if you need that for your customers.
To make sure your developers can fix vulnerabilities quicker, we add strategies to mitigate those vulnerabilities.
Since our security analysts make use of our review environment they are a lot more efficient and effective in finding vulnerabilities. That performance increase helps us to lower prices while at the same time find more vulnerabilities.
By leveraging our codemark feature, it becomes possible to perform a continuous security review You work agile with CI/CD, so why do a pentest just once a year? The week after a pentest you add new code and therefore potential new vulnerabilities...
Services and pricing
After an intake videocall we could take a few hours to gauge your current security level by doing a 'gap analysis' on your software.
This will result in a brief report with advice on what the focus areas are, and what work our security engineers could perform. Finally, it gives an indication on the work required for step 2.
Full codebase analysis
Connecting to your Git repository we load your codebase in our review environment and perform a full review of your codebase (including infrastructure as code).
The resulting 'pentest' report can be sent to customers and investors, but is also a good indication for the continuous analysis.
Pricing: € 7.500 ~ € 12.500
*Depending on the complexity and size of your codebase
We will fully integrate our review service in your team and workflow. We communicate through the issue tracker on any new security issues as soon as they appear.
This enables you to resolve security issues swiftly and efficiently, and be continuously secure.
Pricing: € 400 ~ € 600 / month, per software engineer FTE on your team
*Since we have more work if your team is bigger and produces more vulnerable code.
We use programming language X, is that supported by Codean?
We need a penetration testing report for my customer, do you provide this?
Yes, we provide you with a report that clearly present the state of your security. This report is different from a traditional penetration testing report. We believe these traditional reports have too little technical descriptions for the developers to mitigate vulnerabilities, while having too much technical information for your management and customers. We provide the technical descriptions of vulnerabilities directly in your issue tracker. That way, we can cut down on the technical information in the monthly reports making reports much more useful for you and your customers.
Whey you use our Continuous Review service, we can provide a report any moment you need it: because we work continuously on your security.
We host our source code on our own premise, is this a problem?
This is not a problem. We access your source code just like your software developers. Even if your software developers need a VPN to access your repositories. A central server that can only be access through a strong Virtual Private Network (VPN) will reach out periodically to your source code hosting solution and retrieve a copy of the repositories that should be analyzed. This central secure location is used by our ethical hackers.
How do you keep my source code safe?
We understand how important your Intellectual Property (IP) is. Therefor we protect your source code both through contractual agreements and technical systems. Before we ever see your source code, we sign a bi-directional NDA with you that includes all our employees. From a technical point of view we access your source code just like your software developers. However, a copy of your source code is stored on servers that can only be access over a strong Virtual Private Network (VPN). As such, our employees have to first access this VPN before they can see your source code. We have build our review environment in such a way that your source code is never copied to other machines (including ones from our employees).
Isn't a 'blackbox' approach more effective because it mirrors a criminal hacker?
Our security analysts / ethical hackers have a lot of experience in actually attacking environments, they have the Offensive Security Certified Professional (OSCP) certification. We perform what we call a 'virtual penetration test'. While analyzing potential issues in your source code, they envision how an attack would actually look like from the outside. This is factored into the vulnerability we report to you. One big issue we see with traditional (blackbox) penetration tests is that they see too little. They can only see the outer walls of your solution, and more obscure issues can therefore stay hidden. We can see and correlate potential vulnerabilities throughout the complete source code, which enables us to give you a more complete view of vulnerabilities present in your solution.
Is Codean certified?
At this moment we are not certified. However, we have a lot of experience working with ISO/IEC 27001 and to some extend ISO 9001. Therefor, we are are actively structuring our business and technology around these standards. This will enable us to obtain official certification more easily when we apply in the coming year.