Source code review, SAST/DAST and threat modelling

Code & App Security.

Comprehensive security assessment of source code and running applications with manual review, automated SAST/DAST/SCA and threat modelling tied to your CI/CD. We focus on the few findings that actually matter and ship working patches.

The Basalt Code & App Security portfolio gives organisations a way to provide ongoing security skills and knowledge to their initiatives. We meet teams at every level of the stack — from infrastructure to application layer — with senior operators who can read both the engineering and the regulatory context.

  • Fewer, higher-signal findings developers will actually fix
  • Catch vulnerabilities at the merge, not at the pen test
  • Reduce supply-chain risk in third-party dependencies
  • Threat models that survive the first refactor

Services

Manual review of high-risk code paths and auth flows

We deliver this work as part of the broader Code & App Security engagement — scoped to your real environment, mapped to the controls your auditors and board already use, and shipped with reproducible artefacts your engineering team can act on.

SAST, DAST and SCA tuned to your stack

We deliver this work as part of the broader Code & App Security engagement — scoped to your real environment, mapped to the controls your auditors and board already use, and shipped with reproducible artefacts your engineering team can act on.

Threat models per service and trust boundary

We deliver this work as part of the broader Code & App Security engagement — scoped to your real environment, mapped to the controls your auditors and board already use, and shipped with reproducible artefacts your engineering team can act on.

Developer-grade remediation guidance with sample patches

We deliver this work as part of the broader Code & App Security engagement — scoped to your real environment, mapped to the controls your auditors and board already use, and shipped with reproducible artefacts your engineering team can act on.

CI/CD security gates and pre-merge checks

We deliver this work as part of the broader Code & App Security engagement — scoped to your real environment, mapped to the controls your auditors and board already use, and shipped with reproducible artefacts your engineering team can act on.

Approach

We start with an initial face-to-face (or remote) meeting which will:

  • Understand what your business does and where the key areas of risk are
  • Discuss the services that we deliver under the Code & App Security offering
  • Understand the scope of the engagement, single project / application / entire code & app security environment or somewhere in between
  • Select the best services for the stage of development for the solutions in scope

Inside Code & App Security

Penetration Testing

CREST-aligned penetration testing for web apps, APIs, internal networks and cloud environments — findings ranked by exploitability, not just CVSS.

Explore Penetration Testing →

Code Security Audit

Manual and tooled code review across your highest-risk repos — secrets, auth, injection, deserialisation and supply-chain risk, with CI integration that keeps findings from coming back.

Explore Code Security Audit →

Application Security

Application security programs built around your engineering org — threat modelling, secure-by-default libraries, AppSec champions and CI/CD guardrails that ship.

Explore Application Security →

What a great team. Easy to work with and so knowledgeable. — Managed Services Provider

Take the next stepTalk to us today

Say hi!