Security Code Review

Application Security Source Code Review

A Secure Code Review involves analysis of the application source code to identify potential security vulnerabilities. A secure code review is generally recommended for high profile and mission critical applications processing sensitive and confidential information. This can be the single most effective technique to identify implementation bugs when used in combination with automated scanning and manual penetration testing techniques. This is also known as “White Box” security testing since the security team has full knowledge of the application and its source code. Secure Code Review is also a compliance requirement for many  organisations.

Step9 Consulting’s detailed source code review methodology can be utilised to perform targeted source code reviews within critical areas of the application, by utilising a combination of industry-leading open source and commercial source code analysis tools and manual inspection techniques in order to provide comprehensive coverage and to reduce false positives.

Step9 Consulting  offers a source code review service for most common programming languages for web and mobile platforms.

Vulnerabilities Identified Through Secure Code Review

The major classes of vulnerabilities that may be uncovered during a code review include:

  • SQL Injection
  • Cross-site Scripting
  • Authentication flaws
  • Cryptographic flaws
  • Buffer Overflows
  • Malicious File Execution
  • Cross-site Request Forgery
  • Open Redirects
  • Sensitive Information Leakage
  • Dangerous Functions and potential backdoors
Report

The final deliverable of the code review process is a comprehensive assessment report with an executive summary and details of technical security vulnerabilities with a root cause analysis, risk ratings and remediation advice. Our consultants will always discuss the findings in the report in a separate meeting  for follow-up questions and potential engagement of Web Application Firewall (WAF) consultants to configure the policy to mitigate the discovered application vulnerabilities using a Web Application Firewall technology