Code Review Services

"Application security above and beyond compliance."

Independent Source Code Auditing

In addition to over a decade of software development experience, members of the Paragon Initiative Enterprises team actively research the security of high value free and open source software projects. We possess a deep understanding of information security, risk management, and software vulnerabilities.


We Specialize in Application Security

We don't limit our auditing services to an automated scanner and a rubber stamp. We favor the careful eye and steady hand approach. In addition to leading to better security, we find that this also leads to a better understanding of your application as a whole, which reduces the rate of false positives.



From Code Injection to Side-Channel Cryptanalysis

Our team has experience at every level of modern application development. We frequently find vulnerabilitiess that other security professionals overlooked (or lacked the expertise to identify or mitigate).

We start with the low-hanging fruit (e.g. SQL injection, local/remote file inclusion, cross-site scripting, directory trasversal, LDAP/XPath injection, unvalidated file uploads, missing access controls, sensitive information disclosure) and then tackle the more sophisticated security risks (PHP object injection, weak random number generators, insecure cryptographic protocol design or selection, cryptographic side-channels, resource exhaustion a.k.a. Denial of Service, insecure password storage, etc.) until we are confident that your application is iron-clad.


The Code Auditing Process

When you hire Paragon Initiative Enterprises to perform a code audit on one of your business applications, we adhere to a simple and proven process to find and help your team remove the vulnerabilities in your platform:

  1. You provide us with the latest commit or snapshot of your project. This can be accomplished by giving us temporary access to your Git repository or by emailing us a tarball encrypted with our security team's GnuPG public key. We have also worked in testing environments over SSH. We're flexible on the details.
  2. We perform our vulnerability assessment for a previously agreed upon time period.
  3. We compile an audit report with any vulnerabilities or security concerns we discover in your code base. If we do not identify any vulnerabilities, the process stops here.
  4. We work with your team to fix the vulnerabilities. Often, we will send patches or pull requests that address specific issues.
  5. Once all of the vulnerabilities we identified are resolved, we will verify that they have been resolved and issue a revised audit report that indicates their resolution.

Recent Security Advisories

Recent Code Audits

  • 2018-08-15 Qbix Platform

    One of our clients built an app upon a platform called Qbix and hired us to do a pre-launch code audit of their app as well as Qbix's platform.

  • 2016-04-04 Bytejail Core Audit

    The Bytejailcore audit is our most comprehensive investigation to date, and we are happy to say that we did not find any security-affecting vulnerabilities or cryptographic weaknesses.

  • 2016-04-04 Bytejail Client Audit

    Our investigation of the Bytejail client software did not uncover any security vulnerabilities, cryptographic weaknesses, or anything resembling a backdoor. User's sensitive credentials are never transmitted, and even error messages are anonymized and encrypted before they are sent to the developers.

  • 2016-04-04 Bytejail Backend Audit

    After a comprehensive code review of the TahoeSmart and TahoeWorker projects, we did not identify any security vulnerabilities in either project. However, our investigation did uncover a few helper classes that could benefit from security enhancements.

  • 2016-04-04 Bytejail Console Audit

    After reviewing the Bytejail console source code, we have identified three security issues: one of medium severity and two of low severity. All three are related to cryptography and believed to be difficult for an attacker to exploit.

  • 2016-01-03 Luís Cobucci's JWT library Audit

    We did not find any security vulnerabilities in the JWT library itself; however, we did find a previously undiscovered cryptographic vulnerability in one of its dependencies.

  • 2015-07-23 NaclKeys Audit

    Paragon Initiative Enterprises conducted a comprehensive code review of the NaclKeys project and discovered no security vulnerabilities.