We enjoy working closely with application development teams and have experience with improving the security of large apps by continuously finding vulnerabilities, automating security tasks and on a more holistic level by sparring with the application developers, owners and architects regarding secure design.
Modern applications are often released frequently and doing a security tests annually or bi-annually might not be the best strategy to avoid critical vulnerabilities making their way to production. We have experience doing continuous testing of small features, combined with big apps, both by reviewing code and testing the features end-to-end.
We find that when the same consultants test an application or a company regularly, testing new releases is very efficient as they are already familiar with the codebase and architecture. Finding obscure and highly complex vulnerabilities is also more common when the tester is familiar with all aspects of the system. Continuous testing can be used with success both as a required activity before releasing to production and after release when making frequent and flexible deployments are more important than having a vulnerability exposed for a short amount of time.
We have experience in reviewing virtually all popular languages and many frameworks along with experience in developing in some languages. We normally review the source code in combination with testing it dynamically, but can also perform pure source code reviews.
We have experience in running developer training programs and trainings. We have run short courses for specific skills as well as full-day trainings with focus on security testing, secure code and how to perform end-to-end testing of applications the same way as outside attackers would.