What is Secure Code Review?
Secure Code Review, also known as Source Code Review or Security Code Review, focuses on identifying insecure coding techniques and vulnerabilities that could lead to security issues. It strategically reviews pieces of code to identify vulnerabilities at the root level.
When it comes to the development and release of an application, Secure Code Review should ideally be incorporated into the development life cycle as it reduces overhead costs and the time it takes for developers to remediate security bugs. The CSA Security-by-Design Framework recommends that Secure Code Review are performed at the implementation phase.
softScheck is a CREST accredited Penetration Testing provider.
Approach & Methodology
At softScheck, secure code review can be grouped into 3 types – Basic, Standard, Advanced.
A basic code review utilizes a scanning tool with no manual review. Such assessment is not recommended as the report may contain false positives and does not reflect the true cyber security posture of the application.
The most common approach is the Standard Static Code Analysis. Manual verification such as code crawling is performed to identify business logic violations and indicators of weakness. Reference is made against OWASP Code Review Top 9.
A Whitebox Assessment (a.k.a White Box Testing, Clear Box Testing, Open Box Testing, Glass Box Testing) is preferred for a comprehensive assessment of both internal and external vulnerabilities. It combines Secure Code Review and authenticated Penetration Test in debugging mode.
At softScheck, Whitebox Assessment is build upon the techniques used in a Standard Static Code Analysis by paying particular attention to execution path by tracing the data flow, reading the access logs, watch the file system accessibility and understanding the class mapping in order to create successful exploit. Our consultants assess information flow, component interaction and communication paths by debugging the application. Attack surfaces and frameworks are explored in greater depth.