Code Security Review

Most of the vulnerabilities in applications are due to security loopholes arising out of insecure coding practices. Most often, developers are not aware of the magnitude of security problems that may arise due to insecure coding. Usually the development teams are not formally trained in writing secure code and may end up writing code which meets the business requirement in terms of functionality but has flaws that can lead to security vulnerabilities being introduced into business applications.

A Source Code security review exercise (also known as white-box application assessment) is an effective and fool proof mechanism to discover design-level & code-level security flaws in business applications. It also helps to provide assurance that key code-level security controls have been implemented appropriately. While application security testing (grey-box and black-box) can identify security issues, a Source Code review is a fool-proof mechanism for identifying vulnerabilities that can be difficult or impossible to find in a black-box or grey-box application testing.

A typical Source Code security review activity utilizes a combination of automated code security scanning followed by detailed manual review to detect security flaws in code, identify insecure coding practices, intentional/unintentional trojans/backdoors and other known application security flaws as per the Open Web Application Security Project (OWASP) top 10, Web Application Security Consortium (WASC) standards and SANS top 25.

Our team of code security experts conduct a fast and effective code review to assist our customers in identifying design as well as code level security flaws that are introduced because of insecure design and coding practices. After the code review is completed, our team provides our customers with a comprehensive report detailing all security flaws discovered during the code security review along with suggested recommendations to secure the application code.

Our Coverage

SecurEyes provides a comprehensive code security review service for multiple platforms and a wide variety of programming languages and frameworks such as:

Languages: Java, JSP, JavaScript, VBScript, PL\SQL, HTML5, C#, VB.NET, ASP.NET, VBScript, ASP, VBScript, VB6, C/C++, PHP, Ruby, ES5, ES6, Typescript, Perl, Android (Java), Objective C Swift, Python, Groovy, Scala, GO Language
Frameworks: Struts, Spring MVC, Spring Dependency Injection, iBatis, GWT , Hibernate, OWASP ESAPI, JSTL FMT Taglib, ATG DSP Taglib, Java Server Faces (JSF), JSP, Google Guice, PrimeFaces, Telerik, ComponentArt, Infragistics, Hibernate.Net, Entity framework, ASP.Net MVC framework, ASP.Net CORE Razor, ASP.NET Core, Zend, Kohana, CakePHP, Symfony, Smarty, bWapp, Ruby on Rails, JQuery, Node.js, Ajax, Knockout, AngularJS, ExpressJS, Pug (Jade), Handlebars, Cordova/PhoneGap, Hapi.JS, XS (SAP), Backbone, Kony Visualizer, ReactJS, SAPUI5, Volley(Android), Django, Akka, Protobuf.

Our Methodology

The overall methodology flow of our code security review service is as follows:

Application Environment Understanding (including coding and deployment details)
Detailed Application Business Understanding along with critical workflows
Performing Automated Source Code Review (or manual code review if language is not covered by automated tool)
Manual Verification/Analysis for the removal of possible false positives
Discussion and finalization with the development team
Publishing the Report

Our Benchmarks

Our comprehensive code security review is aligned to the following well known global code security assessment guidelines such as:

OWASP secure coding guidelines
MISRA C, SEI CERT C
MISRA C++, JSF AV C++ Coding Standard, SEI CERT C++ Coding Standard
Secure Coding Guidelines for Java SE (Oracle)
Secure coding guidelines for .NET (Microsoft)
SANS Top 25 Most Dangerous Software Errors
and other industry standard benchmarks for evaluating the code security of applications.

Some examples of vulnerabilities identified in the code review includes the following (sample given below):

Injection attacks (SQL Injection, Code Injection, Command Injection, LDAP Injection, Xpath Injection)
Insecure Session Management
Insecure Cookie Attributes
Insecure Transmission of Password and other sensitive information
Private IP Disclosure
Internal Path Disclosure
XML External Entity Attack (XXE)
Insecure Deserialization
Insecure Direct Object Reference
Race conditions
Overflows
Character set conversion problems
Logical errors
Bad assumptions
Cryptography Key Management flaws
Sensitive data exposure
Use of deprecated/banned function calls
Resource Injection
Hardcoded Password
Password in Connection String
Environment Injection
Environment Manipulation
Password Storage in the Local Database
Root/Jail break Detection
Repacking Detection
Hooking Framework Detection
Debugger Protection
Android Emulator Detection
Device screen mirroring protection
and many others

Why Choose us?

Rich experience of conducting code security review for 3350000+ Lines of Source Code for 500+ applications across languages/frameworks (including Web application, Thick Client, Mobile (Android/iOS), Web Services Applications)
Comprehensive testing simulating actual attack tools, techniques & Processes of adversaries
Vast experience in conducting code review across sectors including BFSI, Manufacturing, Healthcare, Information Technology, Logistics, Government, Retail, Telecom, etc
Highly trained and experienced code reviewers who provide a customized experience to each customer
Comprehensive reports that help our customers to have an in-depth understanding of code flaws and their corresponding business impact (in business language)
Our customers benefit from our team's close coordination with the development team to assist in understanding the flaws with the objective of fixing the root cause of vulnerabilities using secure coding practices

You can get in touch with us at sales@secureyes.net to utilize our Cyber Security Testing services for your organization today.