Secure Source Code Review
What is Secure Code Review?
Secure Code Review, also known as Source Code Review or Security Code Review, focuses on identifying insecure coding techniques and vulnerabilities that could lead to security issues. It strategically reviews pieces of code to identify vulnerabilities at the root level.
When it comes to the development and release of an application, Secure Code Review should ideally be incorporated into the development life cycle as it reduces overhead costs and the time it takes for developers to remediate security bugs. The CSA Security-by-Design Framework recommends that Secure Code Review is performed at the implementation phase.
softScheck is a CREST accredited Penetration Testing provider.
Approach & Methodology
At softScheck, Secure Code Review can be grouped into 3 types – Basic, Standard, Advanced.
A basic Secure Code Review utilises a scanning tool with no manual review. Assessments such as these are not recommended as the report may contain false positives and does not reflect the true cyber security posture of the application.
The most common approach for Secure Code Review is the Standard Static Code Analysis. Manual verification such as code crawling is performed to identify business logic violations and indicators of weakness. Reference is made against OWASP Code Review Top 9.
Steps taken for a standard Secure Code Review:
A Whitebox Assessment (a.k.a White Box Testing, Clear Box Testing, Open Box Testing, Glass Box Testing) is preferred for a comprehensive assessment of both internal and external vulnerabilities. It combines Secure Code Review and authenticated Penetration Test in debugging mode.
At softScheck, Whitebox Assessment is built upon the techniques used in a Standard Static Code Analysis by paying particular attention to execution path by tracing the data flow, reading the access logs, watching the file system accessibility and understanding the class mapping in order to create a successful exploit. To properly conduct a Secure Code Review, our consultants assess information flow, component interaction and communication paths by debugging the application. Attack surfaces and frameworks are explored in greater depth.
Steps taken for an advanced Secure Code Review:
Choose softScheck for Trusted Security Testing
softScheck is a CREST accredited leading cybersecurity consultancy firm and Penetration Testing provider. We are also well-experienced in providing a full suite of security testing, audit services and advisory services. Speak to us to find out how you can get started with a Secure Code Review for your organisation now.