SECURE code review
Are you sure you know what is hidden in your system’s source code?
What is a Security Code Review?
“Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places”, OWASP
It is commonly known that designing and implementing a secure application is a difficult task. Programmers rarely have the required expertise or the time to invest in system security. The result is that applications have many vulnerabilities, with severe implications for the system’s security. Such programming vulnerabilities may enable legitimate system users or hackers to perform unauthorized operations.
By exploiting such security vulnerabilities, whether internally or externally, malicious entities can cause security breaches and damage information availability, integrity and confidentiality. When you perform a Security Code Review you can identify potential threats embedded at the system code level and mitigate them in the early system development stages.
- Developers create three vulnerabilities in every 10,000 lines of code they write. This means that there will be 15 vulnerabilities in a small system of 50,000 lines of code, and more than 300 vulnerabilities in a large system of 1 million lines of code!!!
- In most cases security testing is carried out after development has been completed. Mitigation at this stage is expensive and in some cases delays the target date for promoting the system/version to the production environment.
- In huge systems there may be hundreds of vulnerabilities. In most cases Penetration Testing will reveal only a small sample of each type of vulnerability. For example, the Penetration Testing Report will indicate a vulnerability such as XSS. However Penetration Testing will never detect all instances of this vulnerability in the code and their exact location, hindering the ability to fix them.
The Security Code Review enables you to detect vulnerabilities that would take months to find, if at all, with Penetration Testing. Using automated tools, we can scan huge amounts of code. Furthermore, the security code review can also be performed manually and at the early stages before the system is deployed to the production environment, even if we only have partial code or non-compiling code. We can find the exact location of the vulnerability in the source code and pinpoint the specific line of code causing the problem
- Professionalism – Our dedicated team specializes in and performs only security code review projects.
- Experience – We scan millions of lines of code every month and have 20 years of experience performing security code reviews.
- Responsiveness – We can start work on very short notice.
- Efficiency – Our methodology is based on many years of proven experience and enables us to conduct an efficient audit, saving you time and money.
- End-to-end service – as your partners we are part of the process.
- We can advise when to perform the review.
- We can advise about the scope of the review.
- We will explain the vulnerabilities that we detected.
- We can assist development programmers and help mitigate the vulnerabilities found in the source code.