Skip to main content

Frequently Asked Questions

We understand that security and privacy can be an overwhelming topic. To help you understand the services we offer, and to see if they are right for you we've provided some answers to common questions.

If you can't find the answer here, please do not hesistate to reach out to us for a complimentary consultation.

General Security Audit FAQs

Why should I audit my system?

Security incidents cost time (and money) that is much better spent serving your organizations mission.

As more and more of our lives are mediated by connected computers, data breaches and hacks have become increasingly common. There is no such thing as a low-value target for hackers, who are constantly on the look out for security weaknesses.

By investing in an audit you can proactively take control, and protect your organization, and your customers and clients, from expensive downtime, and data loss.

How long does a Security Audit take?

The length of an engagement is highly dependent on how large the system or application being tested is, and the goals of the audit.

Generally, we recommend that initial engagements focus on a specific part of the system or application, and timeboxed to a known length of (typically 1 to 2 weeks).

Once complete, our team will be able to recommend additional reviews for other parts of your system.

What are the outputs of an audit?

Our team will work with you to provide results in a format that suits you best. Some clients prefer a detailed report that includes executive summaries, methodologies, and detailed breakdowns of risks and vulnerabilities. Other clients prefer a direct team briefing with a list of things to fix.

How should I prepare my system/application for an audit?

We will work with you to break down the steps necessary for a successful audit.

Typically, for source code and configuration audits we will ask you to prepare an archive of relevant files and have them delivered to us in a secure manner (we also provide on-site review services).

For vulnerability assessments, we will provide you with a list of resources we will need. This usually includes things like system accounts, configured test users with certain permissions and attributes.

Open Source Review FAQs

Do I Qualify for a Subsidized Assessment?

To qualify for a subsidized assessment projects must:

  • Be publicly accessible solely under an acceptable open source license (MIT, BSD, GPL etc.)
  • Not be primarily maintained or sponsored by a for-profit corporation
  • Consent to the public release of any report once any disclosed vulnerabilities have been mitigated, or within 90 days of receipt