Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Security Testing

Static Code Analysis

01. Basics02. Our Services03. Your Benefit

Find vulnerabilities where they originate: With Static Code Analysis (SAST), we uncover security problems directly in the source code – even during development.

Many security gaps are the result of programming errors or insecure configurations. Classic penetration tests often discover these late, when the application is already in use. With Static Code Analysis, risks can be identified and eliminated early on.
We offer both manual source code analyses and the use of market-leading SAST tools. This enables your developers to understand security problems in the code immediately – and to implement sustainable improvements.

Our Services

Offer

Our Static Code Analysis includes various approaches – from lean quick wins to complete integration into the Software Development Lifecycle (SDLC):

  • Manual Source Code Analysis: Identification of typical error locations in the code by experienced experts (SAST quick wins). Ideal as a targeted supplement before a penetration test.

  • Automated Static Code Analysis: Use of market-leading tools, tailored to your technology stack. Preparation of the results in a form that is easily understandable for developers.

  • Individual test variants:

    • Quicktest SAST

    • Integrated SAST + Penetration Testing Analysis

    • Comprehensive code-based Web Application Security

Approach

Approach

Our approach is transparent, comprehensible, and practical:

  1. Scoping: Definition of project goals, scope, and technologies used.
  2. Analysis: Execution of manual and/or automated code reviews.
  3. Finding Documentation: Highlighting the relevant sections in the source code with clear best practices for remediation.
  4. Review & Reporting: Creation of a structured report for developers and management.
  5. Integration: Upon request, integration of the analysis into CI/CD processes for continuous security.

Checkpoints

Approach

We systematically check security-critical areas of the code:

  • Input and output validation
  • Authentication and authorization
  • Error and exception handling
  • Use of frameworks and libraries
  • Storage and transport of sensitive data
  • Configuration and deployment aspects

We cover all application scenarios of Static Code Analysis:

Programming errors responsible for security vulnerabilities in modern web applications frequently occur in typical, systematically identifiable locations in the code and configuration. With our SAST Quick Wins method, these can be checked with manageable effort, significantly increasing the security of a web application.

This method is also ideally suited as a supplement to a penetration test.

Tailored to your requirements, we use one of the SAST tools available on the market and present the results in a format that is easily understandable for managers and developers.

The results are cleansed of false positives, multiple occurrences of the same vulnerability are consolidated, and the criticality assessment is checked and, if necessary, adjusted contextually.

The use of AI and sophisticated prompting additionally enables us to detect a range of semantic problems.

The integration of security tests into the technical process chain helps to identify vulnerabilities or security-relevant problems early on. 

We bring many years of experience with commercially available SAST and IAST tools, as well as open source tools suitable for special tasks, and can support you in equipping your build chain tailored to your requirements.

Your Benefit

With static code analysis, you ensure that security problems do not arise in software development in the first place. You gain reliability, save valuable time in development, and build on the expertise of real software developers.

  • Our many years of experience and the use of SAST tools in our own development projects 
  • Developer-friendly reports with clear best practices 
  • More reliability and transparency in development
  • Lower costs through early risk detection – prevention instead of rework
  • Strengthening developer competence and security awareness

Mirko Richter

Let us show you the possible applications.

E-mail

mgm DeepDive

Source code analysis versus penetration test – Automated source code analysis and penetration tests both have their strengths – it all depends on using them correctly! Here are some characteristics of these approaches.

Automated Static Code Analysis

  • Finds vulnerabilities that a penetration test cannot find
  • Systematic, comprehensive approach
  • Problems are located directly at the corresponding code location
  • Specific information on how to fix them 
  • Degree of coverage of the analysis is comprehensible, mostly full coverage
  • Provides information already during development
  • Component tests are possible
  • Effectively contributes to developer training

Penetration test

  • Identifies vulnerabilities that a source code analysis cannot find, or cannot reliably find
  • Includes the entire system (web server, etc.) in the investigation
  • Easy to implement