Our goal is to become your trusted advisor in all of your IT-security related matters. However, trust can only be built over time. We therefore typically begin our engagements by offering a standard catalogue of services that one would expect from an IT security consultancy, including threat modelling, penetration tests, code reviews, and developer trainings.
While these standard services can of course be regularly booked, for any client looking for long-term support, we offer a unique service: establishing a local security team for your organization, training the team where necessary, and helping them bring in the necessary automations to make the most of their time.
Finally, with our experts on automated code analysis, feel free to request custom services in the area of automated vulnerability discovery at any time.
We offer the following standard services. For each of these services, results of our findings are provided in a detailed report. In addition to the concrete findings, this report includes general recommendations to increase security on the long-term, as well as overall comments on the security of the systems under investigation.
The first step for any effective security strategy is to understand what needs to be protected from whom. We achieve this by developing threat models with our clients that clearly define the systems and data under the client’s responsibility, and the potential threats to these systems. We recommend carrying out threat modelling before performing penetration tests or code reviews, as it drastically increases the efficacy of the assessments.
A penetration test is a simulated attack on your systems, which often serves as the best starting point to obtain an initial impression of the security of your applications and services. It shows you what a casual attacker without too much knowledge about the internals of your application can be expected to know about your systems, as well as the vulnerabilities they could use to obtain sensitive information. It leans heavily towards dynamic blackbox testing of your application, meaning that no access to code is required to carry out the penetration test. On the downside, many vulnerabilities that could be found immediately via code reviews often remain undiscovered with this approach.
We offer in-depth reviews of your code and configurations for vulnerabilities, providing you with an independent third party’s assessment of your application security. This whitebox strategy is often considerably more effective than a penetration test alone, as it allows analysts to mine the code for vulnerabilities deep in the program’s code. The code reviews performed by Whirly Labs are particularly effective as they are performed by seasoned experts with access to in-house tooling that provides an edge over the competition
Developing secure code is hard, and unintentionally introducing vulnerabilities is therefore all too common. The fact that computer security is often not a mandatory subject in developer education adds to this risk. Any time the code is modified, a new vulnerability could be introduced, making it crucial to provide developers with the necessary training to recognize and eliminate vulnerabilities before they make it into production. We support your efforts in establishing secure programming practices in your engineering organizations through custom-made trainings that focus on the programming languages and technologies that you use. Our educators have experience in teaching security at the university level, and experts in the field can be sourced easily via our network if required.
Experience has shown that the standard catalogue of services that is widely demanded in the industry has several shortcomings, in particular from new software development practices introduced in the past decade: a penetration test or code review can easily become outdated as the system under inspection is modified.
While in the past, software releases were rather infrequent, this problem was less pronounced. Today, modern engineering organizations often produce multiple public releases of their applications per day, creating a high potential for new vulnerabilities to be introduced in between vulnerability assessments. In short, code is continuously integrated and deployed, but not continuously secured.
As a remedy, we offer several more innovative services targeted at organizations that are particularly concerned with their security, willing to establish effective security processes that protect them every day.
Make it our problem. If you would like security experts to review your code continuously, we have you covered. This service can be combined with developer education to build strong security capabilities inside your engineering organizations over time. This service is particularly interesting for SMBs that do not feel that investing in the establishment of an internal security team is justifiable, but would still like to enjoy the peace of mind that comes with continuous vulnerability detection.
Whirly Labs employs several experts in the area of semi-automated code review. The core finding in recent years in the field has been that automation must take into account the context applications operate in and the semantics of the languages, libraries, and frameworks employed, in order to be effective. We offer development and maintenance of automated vulnerability discovery applications that detect vulnerabilities in your code while your team develops. The automations are customized and maintained by our team, allowing you to focus on feature development while we handle the security.
Finally, if you would like us help you in assembling a world-class security team inside your organization, let us know. We will assist you from the early planning stages on, throughout staffing, training, and evaluation.