About

For projects which require additional assurance, or where you would like additional assistance at a code level, Pākiki can carry out code reviews. These would typically be carried out in a few scenarios:

1. If the developers would like additional training on areas where they can improve at a code level.
2. If a system is particularly high-risk (for example is high profile and processing significant personal information or large financial transactions).
3. If a system is implementing functionality which can be challenging to get right (for example, custom encryption).
4. If you have specific concerns and would like an in-depth review of one part of the codebase.

Broadly speaking, if you are seeking to understand what vulnerabilities are present in an application, a whitebox penetration test (where the consultant has access to the source code) is a better approach.

How we can help

Pākiki can carry out code reviews of applications, we have experience with most common languages and frameworks. We also have experience reviewing cryptographic code (where the code makes use of higher-level cryptographic primitives).

The majority of code reviews will sample a number of end to end interactions from the frontend user interface to the backend, understanding every line of code and identifying security vulnerabilities or development practices which could lead to vulnerabilities. The consultant would then explicitly seek to understand the security logic of the application (how login is implemented, how authorisation is implemented, searching for potentially unsafe functions, etc)

What you get

At the end of the engagement, you’ll receive a written report, detailing:

• At a high level, what key issues were identified, and what they mean to the business.
• Detailed descriptions of all issues which were identified, including reproduction steps, and how you can remediate them.

Process

All of our engagements follow a similar process:

1. We start by scoping the engagement, understanding what you're looking for, discuss the technologies and platforms in use, and any key concerns that you may have. From this, we produce a Statement of Work detailing the effort required, cost, any prerequisites, and our approach to the engagement.
2. Once the Statement of Work is signed, we'll work with you to schedule the work.
3. Prior to the engagement starting, we'll be in touch to organise any prerequisites we require and where practical will test these prior to the engagement. This will ensure the engagement commences on time.
4. The consultant will start the engagement and will provide regular updates. Any high or critical severity issues will be notified when they are found.
5. At the end of testing, a report will be produced and provided.
6. A close-out meeting is held to provide any additional context around the business impact of what we identified, and to provide a chance for any further questions on how to remediate what was found.
7. Optional Retesting can be carried out in order to ensure that any vulnerabilities have been successfully remediated.

Get in touch

We’d love to hear about your project: