Chaleit’s “Code” capability is embedded in global organisations from Cloud Service Providers, manufacturing, digital / software houses, energy, transport, logistics and global shipping organisations.
Our capability in Code is extensive and challenges the norm. It also sits on a spectrum of approaches from traditional Pen Testing approaches of Code Review (SAST and DAST) through to “shifting left” (morphing our approach gradually from security expert to experienced developer with security skills) and ultimately being an integral part of the CI/CD and SDLC.
Code Review Tools
These present a first filter and quality gate to find bugs as they are happening and are generally noisy, full of false positives, and extremely hard to tune. Chaleit works as an embedded team to help you “drive” effective usage of your own security tooling in the context of your CI/CD, toolchain and SDLC process. It involves what we know generally as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing).
SAST
By using your tooling above on a per project/code stack basis or having our teams use scripted or manual review techniques of key code repositories and libraries.
DAST
We combine both Static assessments and live sites to create “Dynamic” testing. The benefit is that we can see live the effects of parameters being passed to databases or web service calls.
All three techniques have their own degree of value but all benefit from the different perspectives of an expert security testing team driving the process.
The degree of interactivity you choose between our teams is very much dependent on your objectives; however the feedback loop is essential for reviews. We take great pride in sharing — through your report or interactive Q&A/feedback sessions — not only what is found in such reviews but also sharing with your development team the “how” and “why” bugs and findings came to be. We can even run a session for your developers to contextualise our findings and support you in your communications internally.