With our SSEaaS solution a software security engineer becomes part of your team. This engineer will review you source code for any security issues. Moreover, the engineer can help you with architectural design issues, security questions and will share best practices.
As opposed to software security evaluations or penetration tests, Codean analyses your products continues in a safe and secure way. We understand your Intellectual Property (IP) concerns. Thats why we have built our solution in the most secure way you can expect from a security focused company.
It does not matter if you host your repositories in the cloud, on-premise or behind a strong VPN. We behave just like your software developers. Your source code is securely mirrored on our platform. Our analysts log into this secure platform using a secure VPN. Through a web based application they will analyze your source code.
What we offer is significantly different from what is currently out there. The questions we most often get are listed below. If you cannot find an answer to your question, please let us know. You can always reach us via the contact page.
We understand how important your Intellectual Property (IP) is. Therefor we protect your source code both through contractual agreements and technical systems. Before we ever see your source code, we sign a bi-directional NDA with you that includes all our employees.
From a technical point of view we access your source code just like your software developers. However, a copy of your source code is stored on servers that can only be access over a strong Virtual Private Network (VPN). As such, our employees have to first access this VPN before they can see your source code. We have build our Integrated Review Environment in such a way that your source code is never copied to other machines (including ones from our employees).
At this moment we are not certified. However, we have a lot of experience working with ISO/IEC 27002 and to some extend ISO 9001. Therefor, we are are actively structuring our business and technology around these standards. This should enable us to obtain official certification more easily in the future.
All our employees are under contract that prohibits and condemns any malicious behavior. Moreover, all our employees have a Certificate of Conduct (VOG) showing that their past conduct forms no obstacle for their current position. Finally, all ethical hackers we employ go through a lengthy interview process to make sure they can deliver the quality we stand for.
Yes, we provide you with a monthly report that clearly present the state of your security. This report is different from a traditional penetration testing report. We believe these traditional reports have too little technical descriptions for the developers to mitigate vulnerabilities, while having too much technical information for your management and customers. We provide the technical descriptions of vulnerabilities directly in your issue tracker. That way, we can cut down on the technical information in the monthly reports making reports much more useful for you and your customers.
This is not a problem. We access your source code just like your software developers. Even if your software developers need a VPN to access your repositories. A central server that can only be access through a strong Virtual Private Network (VPN) will reach out periodically to your source code hosting solution and retrieve a copy of the repositories that should be analyzed. This central secure location is used by our ethical hackers.
We do not need a special environment like traditional penetration testers do. We only require access to the source code (which may include database schemas). This way we make sure that we never have access to production data or environments while still being able to analyze the complete solution that ends up running on your production environment.
Our ethical hackers have a lot of experience in attacking production environments. To make sure they are up to the task, all our ethical hackers have the Offensive Security Certified Professional (OSCP) certification. We perform what we call a 'virtual penetration test'. While analyzing potential issues in your source code, they envision how an attack would actually look like from the outside. This is factored into the vulnerability we report to you.
One big issue we see with traditional penetration tests is that they see too little. They can only see the outer walls of your solution, and more obscure issues can therefore stay hidden. We can see and correlate potential vulnerabilities throughout the complete source code, which enables us to give you a more complete view of vulnerabilities present in your solution.
If you did not find an answer to what you were looking for, please let us know. You can reach us via the contact page.