pentext/xml/source/snippets/offerte/en/additional-code-audit_methodology.xml

<?xml version="1.0" encoding="UTF-8"?>
<section>
  <title>Code Audit</title>
  <p>
    <company_short/> will perform a code audit to aid pentesting. During a 
    code audit, we manually examine the code of an application to ensure there 
    are no security vulnerabilities and use our understanding of the code to 
    guide our pentesting. If vulnerabilities are found, we document those and 
    suggest ways to fix them. This is done by highly-trained penetration testers 
    who can both review the raw code as well as interpret the findings of the 
    automated scans, putting them into context.
  </p>
  <p>
     During the code audit portion of penetration tests, we take the following 
     criteria into account:
  </p>
  <ol>
    <li>Risk Assessment and "Threat Modeling"<br/>
      In this step, we analyze the risks of a particular application or system. 
      Threat Modeling is a specific, structured approach to risk analysis that 
      enables us to identify, qualify, and address the security risks, thus 
      dovetailing with the Code Review process. For example, user data is 
      sacred. We focus on encrypted storage, discover if <client_short/> employees 
      have a backdoor into data, and cut loose stolen devices by wiping them 
      remotely and revoking accounts.
    </li>
    <li>Purpose and Context<br/>
      Here we focus on risks, especially in the quick and easy sharing of 
      internal documents and itineraries. Account details aren't so secret 
      when we know who will be in meetings, but what's being discussed is secret.
    </li>
    <li>Complexity<br/>
      The complexity of the system is in the frameworks that support the web 
      application. We'd ignore those and focus only on the custom code and 
      backend code. We would also 
      focus on implementation mistakes and known flaws in the systems. For 
      example, we'd ensure you're using the latest versions of software, 
      but we wouldn't delve into the framework itself. Since we assume the 
      code is written by a team, it should be clearly-written code. If you have 
      several full-release versions, there will undoubtedly be several revisions 
      and audits on that code.
    </li>
  </ol>
  <p>
    For more information, please refer to this link: 
    <a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">
    https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a>
  </p>
</section>