The main goal of a code audit / review is to identify security vulnerabilities within the design or application source code of your product. Complementing a code audit with a penetration test is recommended as it allows the testers to achieve the highest coverage and identify hard-to-spot weaknesses by combining the dynamic as well as static testing approach.
Our hand-selected team of senior consultants at RootSys are fluent in a wide range of programming languages, capable of performing code audits against code bases written in the following programming languages: C#, Java, Golang, Rust, C++, C, Kotlin, SWIFT, Objective-C, Python, Rust, among others.
RootSys conducts code audits in several steps, where an initial scoping and workshop together with the development team allows the consultants to get an overview of the application’s design, it’s architecture and code structure. This input is essential for the creation of a threat model, better tailoring the actual code review towards our clients’ need and the definition of a baseline of what potential threats the application’s threat model includes.
Following that, consultants conduct the actual code audit using manual as well as automated methods. We stress that the main focus of the code audit lays on manual code analysis, in order to take full advantage of the expertise and experience of the consultants. RootSys aims to conduct code audits in strong collaboration with the development team, communicating findings as they arise directly to the developers. This also helps to eliminate false-positives and better tailor the testing of important and interesting areas, as we directly incorporate feedback from the development team into the review process.
At the end of every code audit, RootSys provides a technical report including all identified vulnerabilities along with a severity rating according to industry standards.