We offer a wide range of technical security services, from application security audits to custom vulnerability research projects.
Our experienced team strives to deliver impactful, actionable deliverables, providing your company with the right tools to scale its security posture.
If you wish to enhance the security of your application or product, you have come to the right place.
Application Security is our speciality.
We specialize in source code auditing of any application, be it small web apps or complex kernel modules.
Our experts have the skills and know-how to identify vulnerabilities and provide your company with valuable input on how to fix them.
Through our years of experience in app security and pentesting we understand that the most cost- and time-efficient manner of assessing the security of an application is by combining source code review with dynamic testing.
You as a client will receive the most concise and actionable report – no bullshit, just real and exploitable vulnerabilities.
We will setup an initial call to discuss the scope and detail the access we need.
You provide us with access to the source code of the application.
If possible, you provide us with an environment that has the app deployed and can be used for testing.
We perform the audit and stay in close contact with your engineers to troubleshoot any problems.
You receive a report allowing you to take immediate actions to secure your application.
We audit almost any type of applications.
We have auditors and researchers for most of the prelevant systems and architectures:
If your target does not fall into any of these categories, give us a call and we can see if it is something we can do nevertheless.
Having access to the source code allows us to work in a more efficient way. We can pinpoint problems quickly instead of having to rely on black-box testing.
When it comes to audits, being able to maximize the time that is spent actually looking for vulnerabilities is important. An attacker is most likely not time-constrained as are security audits, they will find complex vulnerabilities that an auditor without source-code access might miss in his limited allotted time frame.
We are not very picky! Usually we come to an agreement that satisfies any security concerns our clients might have with sharing their source code.
Some possibilities include adding our engineers to your version control system as temporary read-only members, sending us a ZIP file of your code or even just providing us RDP access to a machine that has the source code on.
Yes, we would love to!
Having a way to quickly get feedback on a question or troubleshoot a problem is of immense help and will make sure the audit runs smoothly.
If you have a communication channel like Teams, Slack or similar, we would be happy to be invited in a private channel where we can directly chat with your technical team.โ
We don’t absolutely need one, but it helps speeding up the process of verifying potential vulnerabilities and creating exploits.
It also allows us to see how the application will be deployed and catch potential configuration issues.
It shouldn’t be a problem. Often we can deploy the applications ourselves using the source code that you provide. These details can be discussed during a phone call.โ
Let’s be honest, a lot of audit reports are dry, repetitive and contain much fluff information.
We provide concise reports containing only technical details of real vulnerabilities, no fillers or nonsense.
If you need an executive summary in addition to the technical details, it will be of course included.
That is a good question!
Indeed, many of our clients don’t even require a full report, instead we provide a list of vulnerabilities with detailed, technical description.
If you give us access to your Git or Bitbucket, we create issues for each vulnerability, allowing your technical team to easily track them and make sure they are getting fixed.
If your question has not been answered, do not hesitate to contact us and we will gladly provide you more information.
Sometimes the source code is not available. But do not despair, we’ve got you covered!
Our reverse engineering team can provide you with the following services:
We would be happy to discuss more details and your specific needs in a phone call.
Our team of vulnerability researchers has a track record of finding 0day vulnerabilities in complex projects.
If you are looking for vulnerability researchers for specific targets or projects, do not hesitate to contact us to discuss further.
Copyright ยฉ Bugscale SA 2023
email: contact@bugscale.ch – PGP keyโ phone: +41 21 90 31337