Anyone has any idea about Source Code Review and Penetration Testing Services Provider in India/abroad ?
A friend got development work for a site and the company wants to perform this 2 additional services.
Got this link Pentest-Tools.com pricing | See plans, tools, features about penetration testing services (client is more keep on vulnerability testing).
Have not found anything for source code review yet.
Use SonarQube.
Well …quite a few tools for Bug Bounty Hunters, Penetration Testers, Security Consultants and Auditors, Sysadmins and Network Admins, Web Developers, Testers . however more reputed ones are available ..the source is more on Cloud, SaaS, Web-Based…
You still need to write test cases.
Well bro SonarQube is more like Code Quality Assurance tool that collects and analyzes source code…not ideal for Pen test and Hunters …
Code quality, bad smells, vulnerabilities can still be assessed without unit/integration tests. Those are only needed to determine code coverage but yes that’s essential part of development.
OP asked Source Code Review and Penetration Testing Services. At least the former can be done with SQ.
Source Code Review and Penetration Testing Services are miles apart bro …
My previous organization used Nessus for penetration testing.
Quite a good option as Nessus scans cover a wide range of technologies including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure if i am not mistaken .
He is considering this Pentest-Tools.com pricing | See plans, tools, features Basic Package for 110 US$
Includes following:
Tools
Web vulnerability scanners
Network vulnerability scanners
Offensive tools
Reconnaissance tools
Targets / scans
Maximum number of targets
Maximum parallel scans
Features
Automation capabilities
Two-Factor Authentication (2FA)
Reports
Export simple reports (PDF, HTML, CSV)
I’ve heard of Coverity source code analysis…
Oh yes. At one stage, we did use Coverity. It was very good.
and let you plan Technical Debt the project has and how to tackle it? This has integrations with Build tools or CI/CD tools so all the observations or notes will be put into Issue Tracker/JIRA
I have used this one and SonarQube.
A good friend of mine owns https://paralok.com/
Contact them. As for tools like owasp and sonarqube; it is better if these tests are done by third party and not the devs themselves.
While I agree with the third party point, I would like to share my experience - whenever I dealt with any CISO/Info Sec for any of the Client projects - they were pleased to see sonarqube recommendations implemented and never had run-in with them.
Thanks for the website share through.
SonarQube is a very heavily used asset in the enterprise. I’m working in a International Fintech company which caters to international banks across US and EU for prepaid cards and payment services. Our product source code is all setup to go through SonarQube analysis and recommendations are being implemented.
Eventually there are little to no issues in pen-testing later because the heavy work is already done during development phase, thanks to sonar integration with CI pipelines and that’s why I recommended that initially.
That said, Zero day vulnerabilities are excluded and no one is safe from that, not even paid services.
Wondering why there contact form is only limited to 250 characters only?
Sorry, but dropped this for now.
Thanks for all the help received in this question, approached one company from all suggestions received.
Probably, will finalize the deal.
Also received replies on freelancing sites, but there are not professionals (most individuals without much information on both testing and source code review)