Code

What Is It?

Code is what powers applications. At a high level it is the language that the applications functionality is written in, that is either compiled or run from. There are many different languages that operate in different ways, some being lower level meaning resources such as memory are directly controlled by the developers and others which rely on frameworks to manage resources such as memory on behalf of the developer.

Why Assess It?

There are many reasons to conduct a code security assessment, five of which are below.

Impartiality

A robust quality assurance process involves independent validation. Even with the most rigorous self-evaluation, there will always be assumptions made about how the code works whereas an impartial assessment provides a clear viewpoint free of assumptions.

Security Focus

The focus during development is on delivering functionality and meeting the timescales of the development cycle. Whilst security is considered during development, it is always beneficial to obtain assurance on the security of the code through a process focused squarely on security as the primary need.

Resiliency

Insecure code can directly affect your organisations operations. This is not just from a vulnerability exploitation point of view, but from crashes being caused which means the code execution is stopped resulting in whatever functionality was being previously utilised no longer being accessible until the application recovers, if it can do so.

Duty of Care

Code is deployed onto systems, therefore care needs to be taken to ensure that the application, or the way in which it is deployed, does not introduce a security vulnerability.

Protect Intellectual Property

The code is created by your organisations developers and could end up running on a system that is not under the direct control of your organisation. Confidence needs to be sought that, even with privileged access to the underlying system, the applications code dissuades individuals from reverse engineering it and stealing all the work that your developers have put in.

The Agility Cyber Approach

Like all our engagements, we want you to get the most out of your code security assessment and we do this by:

Static and Dynamic

Evaluating the code line by line is useful however we believe this should be paired with dynamic evaluation, not only to show proof of concept attacks but also to validate security assumptions in practice. We pride ourselves on disclosing accurate vulnerability information to you, rather than listing theoretical vulnerabilities that may be mitigated by modern operating system defences for example.

Threat Actor Mindset

We bring our experience of threat actors combined with our experience across other assessment types to ensure that we do not just find vulnerabilities in the code. We look at your code in the way a threat actor would wish to abuse it.

Simplify

Code can be complex, especially when an application is developed across multiple teams or organisations. We aim to look at the ecosystem of the program in its entirety and ensure you achieve security through simplicity because this both defends your organisation and also helps you maintain the level of assurance in your security posture.

Prioritised and Pragmatic Advice

We report what we find but we do not add issues to make the numbers up. We believe in identifying the patterns that affect your code and helping you to fix their root cause, ensuring you get a higher return on investment from the assessment and from any remediation effort deployed by your teams.

Empathy with Developers

We know that having something you have put effort into undergo a security review is challenging. We go to great lengths to work alongside your developers and project managers to provide the best help possible, such as providing code snippets that can be used instead of just high level advice.

Benefits of Partnering with Agility Cyber

Mutually Invested

Our experts work with you, not against you. There are no egotistical celebrations when a serious issue is discovered, just rapid full disclosure with pragmatic suggestions for effective remediation followed by ongoing support.

Clarity and Simplicity

We always provide clarity, believe in simplicity and value your time. An example is rather than waiting until the engagement starts, we will conduct open source intelligence gathering activities before the scoping meeting to help us understand your organisations position and risk posture thus enabling us to ask better questions, securing you higher value and saving you time.

Full Consultancy

Our team, based in the UK, is technically exceptional but we pair that with business sense to discover, triage and help you remediate the full range of security issues.

Impartiality

We are impartial, we do not sell you products or the latest buzzword laden trending solution.

Outstanding Service

We have an industry leading turnaround, agility is in our name after all. Proposals are shared with you within 24 hours of the scoping meeting. Accurate and complete daily debriefs are given during every engagement. The report is shared within 5 working days at the latest.

Scroll to Top