SAST, DAST, and dependency auditing — every vulnerability tagged to the ISO 27001 A.8.28, HIPAA §164.312(c), or NIST CSF PR.DS control it violates. Catch what automated scanners miss before it reaches production or your next audit.
Each layer catches a different class of vulnerability. All four are included in every engagement.
Automated and manual review of source code for security flaws without execution. Covers every file, every branch, every dependency.
Black-box testing against the running application. OWASP Top 10, business logic flaws, and authentication weaknesses.
Every third-party library and transitive dependency checked against CVE databases. SBOM generated for your compliance records.
Automated tools miss business-logic flaws. Our engineers manually review authentication flows, authorisation checks, and cryptographic implementations.
Unsanitised user input flowing into database queries.
Reflected, stored, and DOM-based injection in web frontends.
Hardcoded credentials, weak session management, insecure token storage.
Untrusted data deserialised without type checking or validation.
Third-party libraries with known CVEs pulled in via npm, pip, Maven.
Debug flags, stack traces, and default credentials left in production code.
Each finding in our report is tagged to the specific compliance control it affects.
A.8.25Secure development lifecycle policy
A.8.27Secure system architecture and engineering principles
A.8.28Secure coding — prevent common vulnerabilities
§164.312(c)(1)Integrity controls — prevent unauthorised code modification
§164.312(a)(1)Access control in application authentication flows
§164.308(a)(8)Evaluation — application-level vulnerability testing
PR.DS-6Integrity checking mechanisms for software
PR.IP-2Secure development lifecycle implemented
ID.RA-1Asset vulnerabilities identified and documented
Audit-Ready Evidence
Accepted by ISO 27001 certification bodies
ISO 27001 Annex A 8.28 requires documented evidence that your organisation tests code for security vulnerabilities. Our report satisfies that requirement — complete with findings, remediation actions, and a re-scan attestation.
HIPAA §164.312(c)(1) requires integrity controls. We provide evidence that application-level integrity — input validation, output encoding, data handling — was reviewed and hardened.
Book a Scoping CallJavaScript/TypeScript (Node.js, React, Next.js), Python (Django, FastAPI), Java (Spring), PHP, Go, Ruby on Rails, and .NET. Other languages are assessed case-by-case.
SAST requires read access to the source code repository (GitHub, GitLab, Bitbucket). DAST requires access to a staging or production-like environment — we never test against live production without explicit written approval.
ISO 27001:2022 Annex A 8.25 (secure development lifecycle), 8.27 (secure architecture), and 8.28 (secure coding) all require documented evidence of code-level security review. Our report provides that evidence.
A focused SAST review of a medium-size codebase (50–200k lines) takes 3–5 days. Full SAST + DAST + SCA with manual review typically takes 7–10 days. Timeline is confirmed after scoping.
No. Source code analysis is white-box — we review the code directly. A penetration test is black-box or grey-box — we attack the running application. Both are recommended for full coverage; many ISO 27001 and HIPAA programmes require both.
Catch vulnerabilities before they reach production — and before your ISO 27001 or HIPAA auditor does.
Request a Code Security Review