/* capabilities */

Code is a vast and complex, multi-disciplinary area, generally tackled with a hacker-first mentality by traditional Pen Testing firms; operating in a deploy, operate and monitor model. Whilst this is a valid approach, true DevSecOps Engineering is part of the process in which code is planned, built and tested in the context of a CI/CD pipeline. Our capability in this field is extensive and drives transformations in not only cyber, but process, tool chains and ultimately developer culture.

Our Approach

Chaleit’s “Code” capability is designed to transform code quality, tool chains, the CI/CD and SDLC from a Cyber Security perspective using threat modelling and a developer-first mentality.


Chaleit’s “Code” capability is embedded in global organisations from Cloud Service Providers, manufacturing, digital / software houses, energy, transport, logistics and global shipping organisations.

Our capability in Code is extensive and challenges the norm. It also sits on a spectrum of approaches from traditional Pen Testing approaches of Code Review (SAST and DAST) through to “shifting left” (morphing our approach gradually from security expert to experienced developer with security skills) and ultimately being an integral part of the CI/CD and SDLC.

Code Review Tools
These present a first filter and quality gate to find bugs as they are happening and are generally noisy, full of false positives, and extremely hard to tune. Chaleit works as an embedded team to help you “drive” effective usage of your own security tooling in the context of your CI/CD, toolchain and SDLC process. It involves what we know generally as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing).

By using your tooling above on a per project/code stack basis or having our teams use scripted or manual review techniques of key code repositories and libraries.

We combine both Static assessments and live sites to create “Dynamic” testing. The benefit is that we can see live the effects of parameters being passed to databases or web service calls.

All three techniques have their own degree of value but all benefit from the different perspectives of an expert security testing team driving the process.

The degree of interactivity you choose between our teams is very much dependent on your objectives; however the feedback loop is essential for reviews. We take great pride in sharing — through your report or interactive Q&A/feedback sessions — not only what is found in such reviews but also sharing with your development team the “how” and “why” bugs and findings came to be. We can even run a session for your developers to contextualise our findings and support you in your communications internally.

SDLC & DevSecOps Advisory

Software development practices recognise more and more that the best and most effective way of risk reduction and ensuring security best practice is to bake it in during the Software Development Life Cycle (SDLC).

Good security design does not mean compromise to functionality, complexity and the creation of problems. Baking security into the SDLC and being part of the CI/CD can be viewed as simply another measure of quality and protection by design. This is why we designed Chaleit’s DevSecOps Engineering “As-A-Service” programme.

Embedding technical expertise is a clear solution. Working together throughout the SDLC lifecycle drives sound application security design. The capability is highly bespoke and customised to each client with a number of implementation options all designed to add value, transfer knowledge and to drive security quality:

  • Advisory in the design and scoping phase: getting the design right, at the outset
  • Integrating as core part of the team as a subject matter expert for advice, solutions and knowledge.
  • Security code review and dynamic testing: reviewing code for bugs as its being created and continual testing as a parallel activity stream.

Ultimately Chaleit’s “Code” capability integrates with your DevOps to drive or create DevSecOps accountability in your development life-cycle and to simplify good security practice with your software teams.

DevSecOps is compatible with normal Agile processes and our goal is to aid decision making and take action at the same rate and in conjunction with your SDLC.

DevSecOps Engineering

A significant opportunity to resolve who owns security in your end to end product.

Cyber Digital Protection

Learn how we can add value to your company with our Cyber Digital Protection offering and how it could work for you.