So, you want to check the security of an in-house developed application?  Great! Doing this a couple times a year is very important.  Here’s a few questions to ask your auditor:

  1. Do they just scan the code with tools, or do they also have experts on staff to understand the language and go deeper? Evidence of development skills is important.  Many enterprise pentesters are not coders.
    • Key: Both static and manual audits are important
  2. Do they check for known vulnerabilities and license compliance issues? There are tools and techniques to scan binaries and code for versions of libraries and license conflicts.
    • Key: Component analysis is important
  3. Do they have the tools and skills to do a serious dynamic test?
    • Key: For native code this is fuzzing. Deep knowledge of C/C++ likely required.
    • Key: For web code this means a skilled, manual test with tools like burp and zap
  4. Do they have a team that knows enough about design, SDL, and deployment, to properly advise on the high-level state of your development program?
    • Key: Real-world secure development and deployment knowledge matters.

Finally, you need the budget to get a solid team.  If you get a low quote, ask yourself: is there any way they could can pay the best engineers, use the best tools, and do a comprehensive audit of even a medium sized application for a price that low.  Remember: you get what you pay for.