Security Testing

What is Secure Code Review?

Secure Code Review, also known as Source Code Review or Security Code Review focus on identifying insecure coding techniques and vulnerabilities that could lead to security issues. It strategically reviews pieces of code to identify vulnerabilities at the root level.

When it comes to the development and release of an application, Secure Code Review should ideally be incorporated into the development life cycle as it reduces overhead costs and the time it takes for developers to remediate security bugs. The CSA Security-by-Design Framework recommends that Secure Code Review are performed at the implementation phase.

logo-crest-2

is a CREST accredited Penetration Testing provider.

img-secure-code-review

Objective of this assessment

Uncover insecure coding practices
Identify potential security vulnerabilities at the root level
Verify that the proper security controls are invoked in all the right places

Approach & Methodology

At , secure code review can be grouped into 3 types – Basic, Standard, Advanced.

A basic code review utilizes a scanning tool with no manual review. Such assessment is not recommended as the report may contain false positives and does not reflect the true cyber security posture of the application.

The most common approach is the Standard Static Code Analysis. Manual verification such as code crawling is performed to identify business logic violations and indicators of weakness. Reference is made against OWASP Code Review Top 9.

Planning & Preparation
Code Walkthrough
Identify context of the code
Vulnerability Identification
Automated tools for scanning
Manual Review
Investigate false negative from scan result
Report
Provide report for remediation action

A Whitebox Assessment (a.k.a White Box Testing, Clear Box Testing, Open Box Testing, Glass Box Testing) is preferred for a comprehensive assessment of both internal and external vulnerabilities. It combines Secure Code Review and authenticated Penetration Test in debugging mode.

At , Whitebox Assessment is build upon the techniques used in a Standard Static Code Analysis by paying particular attention to execution path by tracing the data flow, reading the access logs, watch the file system accessibility and understanding the class mapping in order to create successful exploit. Our consultants assess information flow, component interaction and communication paths by debugging the application. Attack surfaces and frameworks are explored in greater depth.

Planning & Preparation
Code Walkthrough
Identify context of the code
Vulnerability Identification
Automated tools for scanning
Manual Review
Investigate false negative from scan result
Debugging
Execution Path in Running Application
Report
Provide remediation action

Basic
Standard
Advanced
  • Code Walkthrough
  • Vulnerability Identification
  • Manual Review
  • Debugging
  • Report
  • -
  • -
  • -