Why code security by coders?
The secret to comprehensive security is knowing how an attacker thinks and how a developer creates.
The important thing to remember for finding and helping remedy security flaws, is that it requires assessments where our testers/researchers can toggle between two frames of mind. First, We look at your application like an attacker might, where vulnerabilities emerge from the stories of exploits and the known weaknesses in human security practices and operating systems. And second and often, most importantly, we see your application and organizational system from the point of view of a developer.
At Redpoint, coding is both the background from which our testers came to security as well as an extant occuption at Redpoint Labs where we are developing security-focused software solutions to contemporary problems. This work as developers informs how we approach security in the applications and environments we test. But we marry that knowledge to attacker mindsets.
In thinking like developers we create the architecture and frameworks that we use to analyze what’s happening in your application or network. In thinking like attackers, we probe the endpoints where hackers often find vulnerabilities. And, perhaps most importantley, these dual mindsets are where difficult-to-find, critical-when-concatenated threats or business-logic-type vulnerabilities emerge.
In that vein, one of our principal consultants, Justin Larson, often says Redpoint’s tagline should be “We’ll find your IDOR (Insecure Direct Object Reference).” IDORs, like business logic flaws, are a class of vulnerability that affect a lot of modern web applications and they’re difficult for automated scanners to detect. For this reason, we send our security reviewers into application codebases to mine for authorization missteps.
Consequently, code security by coders is where we believe we provide Redpoint clients extraordinary value. It’s the primary reason why we often recommend the Hybrid Assessment tool we developed in order to examine our clients’ applications in their running environments as well as the source-code undergirding those applications. Overall, it creates a deeper level of security for the applications and systems we analyze.
If you or your organization is interested in learning more about Redpoint Security and our proprietary testing process, contact us here for more information.