We record, compile and analyze evidence in order to check if a system uses resources efficiently (through static code validation) and if it presents vulnerabilities that a potential attacker could take advantage of (security analysis).

Code validation

Through specialized tools, we analyze the source code to detect bad practices, duplicate or dead code, commented code, incorrect business logic, high cyclomatic complexity, incidences in control structures, etc ...

The launch of these tests is scheduled on a continuous integration server to have a project history and an overview of the current state and tendency. This way we can forbid the promotion of products with lower code quality than the previous version.

Security analysis

Authentication, authorization, code injection, proper encoding... we pay attention to a wide spectrum of security concerns following updated guides like OWASP.

We provide an overview of the product status by segmenting the audit in the following phases:

Code Analysis

A static code review allows us to detect defects in the code, such as displaying sensitive information in log files that can be accessed or taking too much CPU time to do simple tasks.

Business logic

We send erroneous requests, verifying parameter validation, data integrity, proper encodings, etc.

Server security

We check behavior against SQL injections, improper file uploads, denial of service behavior...

Customer Security

We check URL redirects, use of cookies or malicious HTML injection so that the integrity of the system is not affected.

Other Vulnerabilities

Multiple account sessions, server error pages, password strengths, or non-destructive credentials are an example of other entities that are usually poorly implemented and could potentially cause security problems.