Secure Source Code Review

What is Secure Code Review?

Secure Code Review, also known as Source Code Review or Security Code Review, focuses on identifying insecure coding techniques and vulnerabilities that could lead to security issues. It strategically reviews pieces of code to identify vulnerabilities at the root level.

When it comes to the development and release of an application, Secure Code Review should ideally be incorporated into the development life cycle as it reduces overhead costs and the time it takes for developers to remediate security bugs. The CSA Security-by-Design Framework recommends that Secure Code Review is performed at the implementation phase.

logo-crest-2

is a CREST accredited Penetration Testing provider.

img-secure-code-review

Objective of Secure Code Review Assessment

Uncover insecure coding practices
Identify potential security vulnerabilities at the root level
Verify that the proper security controls are invoked in all the right places

Approach & Methodology

At softScheck, Secure Code Review can be grouped into 3 types – Basic, Standard, Advanced.

A basic Secure Code Review utilises a scanning tool with no manual review. Assessments such as these are not recommended as the report may contain false positives and does not reflect the true cyber security posture of the application.

The most common approach for Secure Code Review is the Standard Static Code Analysis. Manual verification such as code crawling is performed to identify business logic violations and indicators of weakness. Reference is made against OWASP Code Review Top 9.

Steps taken for a standard Secure Code Review:

Planning & Preparation
Code Walkthrough
Identify context of the code
Vulnerability Identification
Automated tools for scanning
Manual Review
Investigate false negative from scan result
Report
Provide report for remediation action

A Whitebox Assessment (a.k.a White Box Testing, Clear Box Testing, Open Box Testing, Glass Box Testing) is preferred for a comprehensive assessment of both internal and external vulnerabilities. It combines Secure Code Review and authenticated Penetration Test in debugging mode.

At softScheck, Whitebox Assessment is built upon the techniques used in a Standard Static Code Analysis by paying particular attention to execution path by tracing the data flow, reading the access logs, watching the file system accessibility and understanding the class mapping in order to create a successful exploit. To properly conduct a Secure Code Review, our consultants assess information flow, component interaction and communication paths by debugging the application. Attack surfaces and frameworks are explored in greater depth.

Steps taken for an advanced Secure Code Review:

Planning & Preparation
Code Walkthrough
Identify context of the code
Vulnerability Identification
Automated tools for scanning
Manual Review
Investigate false negative from scan result
Debugging
Execution Path in Running Application
Report
Provide remediation action

Basic
Standard
Advanced
  • Code Walkthrough
  • Vulnerability Identification
  • Manual Review
  • Debugging
  • Report
  • -
  • -
  • -

Choose softScheck for Trusted Security Testing

softScheck is a CREST accredited leading cybersecurity consultancy firm and Penetration Testing provider. We are also well-experienced in providing a full suite of security testing, audit services and advisory services. Speak to us to find out how you can get started with a Secure Code Review for your organisation now.