CODE Auditing

At SRLabs, we tackle complex security challenges, and software systems have proven to be an endless source of great security puzzles. We created our methodological process for security validation and employ it regularly with leading software development teams.

“We help software teams to become more security mature while having fun discovering bugs and innovative attack vectors.”

Model
We define threat scenarios and hacking incentives for compromising the security of the software system.
Verify
We review the software project design for coverage and mitigations of the relevant attack scenarios. ​
Check
We test the software implementation, discover as many hacking vectors as possible and pursue the most promising ones.
Remediate
We work in close collaboration with core developers of the project to report and remediate the discovered issues.​

Our Approach

We follow a four step security assessment process:
Threat modeling
All software project has a different attack surface. This is why we always start our audits with threat modeling, where we map out ideas of how attackers could profit from exploiting each part of the target and list the most likely attack scenarios. The threat model provides guidance for the design, implementation, and security testing of the software will help create protection across the availability, integrity and confidentiality dimensions.
Design and Coverage check
The security design coverage check assesses theoretical hacking risks to your system. We review the software design for coverage of the relevant attack scenarios. This check uses the security goals defined in the threat model as a basis. Together with core developers we determine the maturity of each component to help us steer our focus to review-ready parts of the codebase. We also define assumptions to record what is needed to reach identified security goals. These assumptions provide guidance for issue identification and remediation.
Hybrid baseline assurance process
A hybrid approach for baseline assurance tests whether the security premises hold up in practice. We assess the implementation of the software system, discovering as many hacking vectors as possible and pursuing the most promising ones. Our security research team establishes assurance through a hybrid test approach, coupling dynamic testing (e.g., fuzz testing) and manual code review.
Remediate
We work in close collaboration with core developers of the software project to report and remediate the discovered potential issues. We also conduct a second review of components once a fix is available. For the bug fix verification we often repeat the test cases executed during the baseline check phase.

we believe

We believe that we, and the security community as a whole, share the responsibility to help technology mature and fullfill its potential to securely handle data and assets in a myriad of new and innovative ways.
Finding impactful vulnerabilities

Our main priority is protecting clients from the most likely and most serious attacks, which are often unique to their software stack. We identify security bugs through our unique threat model-based approach by putting ourselves in the hackers' shoes.
Mitigating found vulnerabilities

We work closely with our clients' core developers, providing both high- and low-level mitigation suggestions and ensuring that applied changes fix the security bugs and do not introduce further issues.
Helping our clients to implement a secure by design approach
We provide holistic evolution suggestions for protocol design, coding, and configuration best-practices, enabling secure development. We encourage our clients to conduct internal threat modelling to help design a product that is secure at its core.

Explore more

aLL articles
Your Blockchain is only as secure as the application on top of it
Your Blockchain is only as secure as the application on top of it
blockchain
22/3/2022
Simple fuzzing goes a long way, even for critical blockchain software
Simple fuzzing goes a long way, even for critical blockchain software
blockchain
27/5/2019