Security Audits

How safe is your software? Not just for you, but for your customers? Do you know which doors have been left unlocked, and how much data can get pulled out of them? If you’ve never had a security audit, the answer is probably “I don’t know”.

Why Audits Matter

Many small businesses think that they’re too small or that their data isn’t important enough to be a target. Unfortunately “what your business does” isn’t as important as “how easy it is to get in”. Even if nothing of value is taken, a hacked system can do immense damage to your reputation and make it difficult for your customers to trust your business in the future.

Getting regular security audits is a vital way to proactively protect your customers and your business against external threats. While no security audit can guarantee that your system is 100% safe, they’re an essential tool for getting an independent assessment of the current risks that your system faces.

We can audit the security of your systems, spot vulnerabilities, and give you recommendations to improve the safety and reliability of your software. Security holes can come in a variety of forms such as:

• Outdated dependencies.
• Weak access controls.
• Missing validation, verification, or authorisation.
• Misconfigurations.
• Expecting all users to play by the rules.

Most developers know how to counter some of these but it’s easy to miss a problem, especially if you don’t know how exploits can actually happen.

How Security Audits Work

The first step of our security audits is understanding the size of your system, and what stage of development you are in. Large, old systems will take a longer time to audit than smaller or newer software. Typically a security audit will take one to two weeks depending on those factors, and the purpose of the audit. Larger systems may take longer, but we will ascertain this as early as possible so that you know what to expect.

When we begin the audit we will review your code to look for obvious vulnerabilities or issues from the inside out. We will work to validate and demonstrate any vulnerabilities found in a way that causes as little impact as possible to your business and development team, preferring to test first on local or staging environments. We will always seek approval before we run any tests or checks that may affect production systems to ensure that you understand what the risks may be.

Any production level checks outside of standard scans will be very limited in scope. They are performed simply to ascertain if an identified vulnerability is actively exploitable at all, and not to explore the depths of the potential exploit. When an exploit is blocked incidentally your system still isn’t secure, as the external factors may change and expose the weakness in the future.

Not Just Ticking Boxes

A big problem that we’ve seen with other audits is that they don’t actually try to understand your software. They’ll run a number of automated tools that look at your system from the outside, but never explore how (or if) your code might actually be vulnerable. While these tools provide a good approximation of some of the most common attacks they will simultaneously miss problems which are unique to your code, and over-represent issues that do not actually a significant threat.

Our audits will typically cover code review, dependency checks, architecture review, and an assessment of external vulnerabilities. We can also review your Systems Development Life Cycle and processes to identify other threats and areas of concern. This means that you’re not just getting a piece of paper saying that your system has been checked, you’re getting a real assessment of the risks and ways to remediate them that make sense.

After The Audit

Once the audit is complete we’ll provide you with a report that details any issues found, the scale of the risks they represent, and how to identify and fix them. This means that your team doesn’t just get an impenetrable list of vague problems, but they’ll get actionable insights which demonstrate how the vulnerability works, the scope of the risk, and how to avoid it in the future.

Issues will be assessed and ranked based on metrics such as their likelihood, ease to exploit, potential impact, and difficulty to mitigate. This is done so that you can get a clear path forward and prioritise your remediation efforts effectively instead of chasing unimportant fixes while leaving your front door wide open.

Reviewing

After the initial audit, it’s always a good idea to book in a review to check if you’ve sufficiently plugged any holes and to make sure that new ones haven’t been introduced. Periodic audits are a great way to make sure that your software stays on track.

If you’re still in the development phase, and early review can be a great way to ensure that your systems are secure before you release your product to customers. A secondary review near the end of the project will allow you to check your fixes and ensure that everything is as secure as it can be.

Audits That Understand Your Software

We are experts in PHP, with nearly 20 years of experience work on PHP applications of all shapes and sizes. We don’t just look at your system from the outside, we understand how the tools work, inside and out, giving you an extra degree of certainty that we can find issues that other auditors can’t.

Laravel

We’ve been building and securing systems built on Laravel since 2014. We’ve contributed code to the Laravel ecosystem, including to the framework, Eloquent and other popular tools such as LiveWire. We have a deep understanding of the framework, where security vulnerabilities can be accidentally introduced, and how to properly secure your application.

Symfony

We have audited and upgraded a number of Symfony projects, ensuring security is at the core of the application. We understand how applications function, how to best ensure that access controls are implemented properly, and how to keep your application updated to ensure that you’re not vulnerable to issues in third party libraries.

Vanilla PHP

If you’re not using a framework, getting an audit that actually understands your system can be even more difficult. We can understand and review legacy systems that were built long before the current frameworks existed, and help you to identify the risks that are as unique to your code.