Code Security Review

Image

Most of the vulnerabilities in applications are due to security loopholes arising out of insecure coding practices. Most often, developers are not aware of the magnitude of security problems that may arise due to insecure coding. Usually the development teams are not formally trained in writing secure code and may end up writing code which meets the business requirement in terms of functionality but has flaws that can lead to security vulnerabilities being introduced into business applications.

A Source Code security review exercise (also known as white-box application assessment) is an effective and fool proof mechanism to discover design-level & code-level security flaws in business applications. It also helps to provide assurance that key code-level security controls have been implemented appropriately. While application security testing (grey-box and black-box) can identify security issues, a Source Code review is a fool-proof mechanism for identifying vulnerabilities that can be difficult or impossible to find in a black-box or grey-box application testing.

A typical Source Code security review activity utilizes a combination of automated code security scanning followed by detailed manual review to detect security flaws in code, identify insecure coding practices, intentional/unintentional trojans/backdoors and other known application security flaws as per the Open Web Application Security Project (OWASP) top 10, Web Application Security Consortium (WASC) standards and SANS top 25.

Our team of code security experts conduct a fast and effective code review to assist our customers in identifying design as well as code level security flaws that are introduced because of insecure design and coding practices. After the code review is completed, our team provides our customers with a comprehensive report detailing all security flaws discovered during the code security review along with suggested recommendations to secure the application code.

Our Coverage



SecurEyes provides a comprehensive code security review service for multiple platforms and a wide variety of programming languages and frameworks such as:

  • Languages: Java, JSP, JavaScript, VBScript, PL\SQL, HTML5, C#, VB.NET, ASP.NET, VBScript, ASP, VBScript, VB6, C/C++, PHP, Ruby, ES5, ES6, Typescript, Perl, Android (Java), Objective C Swift, Python, Groovy, Scala, GO Language
  • Frameworks: Struts, Spring MVC, Spring Dependency Injection, iBatis, GWT , Hibernate, OWASP ESAPI, JSTL FMT Taglib, ATG DSP Taglib, Java Server Faces (JSF), JSP, Google Guice, PrimeFaces, Telerik, ComponentArt, Infragistics, Hibernate.Net, Entity framework, ASP.Net MVC framework, ASP.Net CORE Razor, ASP.NET Core, Zend, Kohana, CakePHP, Symfony, Smarty, bWapp, Ruby on Rails, JQuery, Node.js, Ajax, Knockout, AngularJS, ExpressJS, Pug (Jade), Handlebars, Cordova/PhoneGap, Hapi.JS, XS (SAP), Backbone, Kony Visualizer, ReactJS, SAPUI5, Volley(Android), Django, Akka, Protobuf.
Image
Image

Our Methodology



The overall methodology flow of our code security review service is as follows:

  • Application Environment Understanding (including coding and deployment details)
  • Detailed Application Business Understanding along with critical workflows
  • Performing Automated Source Code Review (or manual code review if language is not covered by automated tool)
  • Manual Verification/Analysis for the removal of possible false positives
  • Discussion and finalization with the development team
  • Publishing the Report

Our Benchmarks



Our comprehensive code security review is aligned to the following well known global code security assessment guidelines such as:

  • OWASP secure coding guidelines
  • MISRA C, SEI CERT C
  • MISRA C++, JSF AV C++ Coding Standard, SEI CERT C++ Coding Standard
  • Secure Coding Guidelines for Java SE (Oracle)
  • Secure coding guidelines for .NET (Microsoft)
  • SANS Top 25 Most Dangerous Software Errors
  • and other industry standard benchmarks for evaluating the code security of applications.

Some examples of vulnerabilities identified in the code review includes the following (sample given below):

  • Injection attacks (SQL Injection, Code Injection, Command Injection, LDAP Injection, Xpath Injection)
  • Insecure Session Management
  • Insecure Cookie Attributes
  • Insecure Transmission of Password and other sensitive information
  • Private IP Disclosure
  • Internal Path Disclosure
  • XML External Entity Attack (XXE)
  • Insecure Deserialization
  • Insecure Direct Object Reference
  • Race conditions
  • Overflows
  • Character set conversion problems
  • Logical errors
  • Bad assumptions
  • Cryptography Key Management flaws
  • Sensitive data exposure
  • Use of deprecated/banned function calls
  • Resource Injection
  • Hardcoded Password
  • Password in Connection String
  • Environment Injection
  • Environment Manipulation
  • Password Storage in the Local Database
  • Root/Jail break Detection
  • Repacking Detection
  • Hooking Framework Detection
  • Debugger Protection
  • Android Emulator Detection
  • Device screen mirroring protection
  • and many others
Image
Image

Why Choose us?



  • Rich experience of conducting code security review for 3350000+ Lines of Source Code for 500+ applications across languages/frameworks (including Web application, Thick Client, Mobile (Android/iOS), Web Services Applications)
  • Comprehensive testing simulating actual attack tools, techniques & Processes of adversaries
  • Vast experience in conducting code review across sectors including BFSI, Manufacturing, Healthcare, Information Technology, Logistics, Government, Retail, Telecom, etc
  • Highly trained and experienced code reviewers who provide a customized experience to each customer
  • Comprehensive reports that help our customers to have an in-depth understanding of code flaws and their corresponding business impact (in business language)
  • Our customers benefit from our team's close coordination with the development team to assist in understanding the flaws with the objective of fixing the root cause of vulnerabilities using secure coding practices

You can get in touch with us at sales@secureyes.net to utilize our Cyber Security Testing services for your organization today.