Thesis Defense provides rigorous and thorough system security audits that are coherent and consistent in their approach, while offering our security auditors the flexibility required to meet the needs of each individual audit.
The core of our approach is identifying security vulnerabilities through exhaustive manual code review, during which we read every line of code in the security audit scope.
Our approach to each audit is specifically tailored to the specifications and characteristics of the system in scope, in addition to the needs of the customer. Every audit, however, includes the following objectives: all of which are essential to maximizing the effectiveness of the security audit for the benefit of the customer, the users, and the community:
Attack Tree Threat Modeling: We create an attack tree to determine an appropriate threat and trust model for the system or component being audited. This helps us to define system inputs and outputs and to better define and clarify the scope and areas of concern for the security audit. What we learn from creating an attack tree helps us to determine a roadmap with specific milestones for the audit.
Security by Design: We conduct a thorough design review to confirm adherence to decentralized system design best practices, and the absence of common design issues that could result in security vulnerabilities.
Secure Implementation: We conduct an in-depth examination and manual review of the project's source code to assess compliance with best practices and adherence to design specifications, as well as to identify security vulnerabilities and code quality issues.
Use of Dependencies: We review third-party libraries, dependencies, and APIs used in the project to identify potential vulnerabilities introduced by external code. We check adherence to security best practice for deployment and CI-CD (continuous integration and continuous delivery) where appropriate.
Tests: Secure implementation relies upon the appropriate use of tests such as unit and integration tests, fuzzing, property-based tests, and formal verification. We evaluate the use of tests utilizing both manual and automated testing tools, as needed, to identify common and edge case vulnerabilities.
Project Documentation: We carefully review project documentation, including design, architecture, and code comments, to understand the intended functionality and potential vulnerabilities. We assess code comments and project documentation correctness and adherence to best practice.