∞ code analysis

continuous whitebox pentest

Continuous thorough pentest

∞ code analysis means continuous security analysis of your software product including source code review, vulnerability assessment, and testing. It provides the most insightful, actionable, and comprehensive feedback to your development team.

 

Request

How it works

One-off setup for endless gain

We connect with your tooling

Codean Labs connects with your repository and issue tracker. This way we can pull your code and submit security issues (as well as their impact and suggested improvements) directly to your dev team. Practical, right?

We do a pentest of your product, or of its latest updates

We pull the code from the repository or repositories in scope, perform a code review, vulnerability assessment, and security testing of the full product, or of its latest updates. We report our findings, their criticality, and their possible remediation straight into your issue tracker, as soon as found. If needed, we also provide a shareable report as often as you need it.

And repeat

Every month we will repeat step 2, so your product remains secure for its entire life-cycle. When uninstructed, we will tag along without any action required from your side. We are however very open to guidance if you wish to provide it. Do you need urgent feedback on a particular feature? Just send us a line and we’ll prioritize its review!

Which software products Codean Labs can pentest

White-box-cryptography (WBC) implementations

Cryptographic protocols and architectures

Web applications

Mobile applications

Cloud solutions

Infrastructure-as-Code

PCI DSS security testing

Full modern software solutions

Embedded and IoT devices, firmware and hardware

Desktop applications

Peace of mind

All pentesting companies offer some degree of peace of mind by reporting security issues in your product. Codean Labs does not stop there, and ensures that peace of mind is extended to every step of the journey.

We connect with your tools, and become fully independent in all tasks, as if we were an extension of your team. We pull the code when there is an update, flag security issues in your issue tracker, minimize your effort to remediate identified problems, align with your priorities.

An inside-out approach

We first identify the security assets in your code, trace back potential weak points, and verify whether they could be abused by performing an attack on your test environment. No pentesting service is more thorough!

This approach helps you build a strong product with security controls embedded.

Better than automated tooling

Many pentester companies rely fully on automatic tools, supported by AI and/or by the most clever algorithms to spot vulnerabilities. This approach overlooks non-standard vulnerabilities and cannot evaluate the correctness and exploitability of findings, leading to false positives and negatives. Our manual approach and extensive experience yield better coverage and accurate feedback.

Better than grey/blackbox

While working without or with limited availability of confidential information (without source code and/or documentation) is the closest setting to a real-life scenario, these approaches provide limited coverage: the pentest is conducted in the blind and, therefore, some luck is involved in finding vulnerabilities in a time-boxed fashion. Real-life attackers are not bound by time, so they could always invest more energy than a pentester is allowed. With a whitebox approach, offered by this service, coverage is a guaranteed by the ability to closely look into all security-relevant functionality in a software.

Better than standard whitebox even!

A whitebox approach is the most thorough, providing the most accurate results. Its only real downside is that it is rather costly, as it requires more time than automatic scanners or grey/blackbox pentests. But does it? At Codean Labs we use our tool, Codean, to increase efficiency, so we can provide the quality of a whitebox pentest in the time of a blackbox pentest. Win-win!

What does the subscription cover?

With ∞ code analysis, our expert security analysts will fully review the current version of your code from a security perspective, after which they will follow along as you develop. This means that we review all new code that is committed (as long as it is within the limits defined by the subscription) on a monthly basis, typically before it hits production. Not literally as you type, but never later than a month from typing! Security issues will be shared as soon as found, and reports as often as you need them. Your software will receive attention for an amount of hours based on the development rate of your product.

What do white-, grey-, and black-box mean?

These are industry terms for approaches that can be taken when evaluating the security of software systems.


When using a whitebox approach, pentesters are given access to the source code of the software they are analyzing; this corresponds to our ∞ code analysis service. In contrast, a blackbox approach puts a pentester in the shoes of an external attacker having no confidential information like source code or documentation. A greybox approach is somewhat in between white- and black-box: typically the code is unavailable but some information is shared. Grey- and black-box approaches are followed in our ◦ codeless analysis service.


As a rule of thumb, request a whitebox approach for a more thorough analysis with clear coverage, and a grey- or black-box approach for a feel of what an external attacker could do in a defined timeframe.

Will I receive a shareable summary report?

Yes! You may need to give your client(s) or management an insight into the security of your product. We got you covered with periodical summary reports showing the overall security of your software (without revealing critical details) as well as your developments over time.

Does Codean Labs securely store source code?

Codean Labs takes security seriously, and employs industry-standard measures to protect your assets, such as your code and any potential findings. Because we connect straight to your code-hosting platform (e.g. Github, Gitlab, ...), there is no need to transfer ZIP files or use third-party cloud storage.

What types of software do you pentest?

We have a very wide expertise in terms of software security. So anything from embedded to cloud and in between is within our capabilities to pentest. In practice, what we see most are web and mobile applications, and associated backend(s) and cloud infrastructure.


Even in the design phase, we can help by reviewing your planned technical design or architecture. By giving you early feedback from a security perspective, we can help you build a strong core, making sure no time is wasted refactoring it later.

When can you start?

We try our best to meet your needs, aiming to start as soon as you are ready! Together with you, we will agree upon a specific start date.

Do I have to share my source code with Codean Labs?

We understand the hesitation in sharing your most precious asset, the source code of your product. Therefore we have strong security measures in place to protect it during ∞ code analysis. Specifically, there is no need to share .zip files or download links with us, instead we connect our system with your own code hosting platform (e.g. Github, Gitlab), so we align at least with the security you already have in place.


If you prefer a security assessment without code access, we also offer our ◦ codeless analysis service. There, we step into the role of a real external hacker, exploring whether vulnerabilities can be found and abused with no additional knowledge.


We are here for you