In every audit we conduct, we follow the Thesis Defense security audit approach. This process has been carefully designed to enhance the security and robustness of the target project, while fostering clear communication and collaboration between Thesis Defense and the customer throughout the security audit lifecycle.
While each audit is as unique as the project being audited, the steps laid out below are integral to the Thesis Defense approach.
Pre-Audit Preparations and Readiness Validation
Customer preparedness optimizes a security audit by helping the audit team to onboard efficiently and effectively. To ensure adequate audit preparation, Thesis Defense will collaborate closely with each customer to ensure and verify the target project is in a state of readiness to undergo a security audit. This includes a thorough assessment of the following:
-
Code: the codebase being audited is in a state of completion, implemented in accordance with best practice for the specific programming language.
-
Documentation: the code comments are comprehensive and up-to-date and that project documentation (e.g. architectural diagram, design documentation or specifications, developer documentation, and user documentation) is sufficient.
-
Tests: the test coverage is comprehensive, with unit and integration tests to help catch bugs and implementation errors.
Audit Setup and Onboarding
To ensure a smooth transition into the audit, Thesis Defense will initiate the audit process by:
-
Setting up a project kick-off call that includes the customer and the audit team.
-
Setting up dedicated repositories for the duration of the audit.
-
Establishing a dedicated communication channel with the customer.
Comprehensive Manual Security Audit
Once these preliminaries are complete, Thesis Defense will execute a comprehensive manual security audit in accordance with the Thesis Defense security audit approach, complemented by the utilization of pertinent security tooling, as needed.
During the audit, the audit team may ask questions in the dedicated communication channel. Additionally, Thesis Defense may request additional meetings as needed to learn more about the audit target.
Audit Report Generation and Delivery
Following the manual security audit, Thesis Defense will compile a comprehensive audit report. This report will contain an exhaustive breakdown of findings, pinpointing vulnerabilities and weaknesses, and will include a remediation plan. Thesis Defense will also schedule a delivery call to discuss the findings in-depth, upon customer request.
Verification and Validation (Optional)
The verification process confirms that any security concerns raised in the audit have been satisfactorily resolved.
Once a customer who opts for a verification process has taken proactive steps to implement the remediations recommended in the audit report, Thesis Defense will revisit the issues identified to assess the extent to which the implemented remediations effectively mitigate the previously identified vulnerabilities.
Thesis Defense will then prepare and deliver an updated audit report. This updated report will include comprehensive details on the remediation actions taken and provide an updated status on each of the previously identified issues, ensuring transparency and completeness in the audit process.