Source Code Review
Code review verifies the security of the source code of your application to find security flaws that could have been overlooked during the development phase and could leave your application vulnerable to attacks. Source code review helps organizations to identify risks in the eventuality of an attack or data breach. It helps to eliminate vulnerabilities at an early stage thereby enhancing the code effectiveness to reduces application maintenance costs and overall development cost.
An insecure application could potentially allow an attacker to gain unauthorized access, compromise application functionality, or steal sensitive data thereby impacting the business not only in lost revenue and legal sanctions but also through reputational damage. Verifying source code prior to application deployment can help to reduce time and resources that would otherwise take if vulnerabilities were found after the code has been deployed. Implementing source code reviews alongside secure coding best practices is important to provide assurance around the security of your application.
Code Review – Our Approach
We conduct manual code review & automated code review and follow the industry best practices and guidelines specified by OWASP Top Ten, OWASP Code Review Guide, ASVS, WASC, SANS, and NIST for security risks and provide recommendations according to industry-standard secure coding techniques.
Our team reviews the application security architecture and develops custom rules. We review the code, both manually and using automation tools, from a developer’s perspective to identify flaws in design and programming and vulnerable programming constructs and functions.
We assess the identified vulnerabilities and back doors thoroughly to eliminate false-positives. We also prepare an in-depth report with the identified vulnerabilities and recommendations to fix the code, mitigate risks, and improve cybersecurity during the development phase to reduce your development costs.
The following among others will be checked during Source Code Review:
Injection Flaws:- Threats such as SQL injection, OS Command Injection, and LDAP injection, to verify the user data sent to an application as part of a command or query.
Cross-Site Scripting (XSS):- XSS vulnerabilities occur when a web application accepts user inputs in a web page without proper validation. Cross-Site Scripting allows an attacker to execute scripts in the victim’s browser that can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Data Exposure:- Many web apps and APIs do not properly protect sensitive information, and cybercriminals can steal or tamper such data.
Broken Authentication:- Authentication and session management are frequently designed incorrectly, allowing cybercriminals to compromise user credentials, keys, or session tokens, or to exploit other flaws to steal other users’ identities.
Broken Access Control:- Restrictions on what authenticated users can do are often not properly enforced which can lead to horizontal and vertical privilege escalation vulnerabilities.
XML External Entities :- Numerous legacy or poorly configured XML parsers evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
The following methods are used during source code review, based on customer requirements:
Automated Code Review:- A fully automated approach can ensure breadth of coverage in the identification of some of the most commonly found vulnerabilities, using commercial code-scanning and our custom tools.
Manual Code Review:- Our experts manually identify security vulnerabilities within source code that an automated tool would often miss. Such vulnerabilities typically exist within critical functionality, including business logic, encryption, network communications, and access controls.
Source Code Review is generally conducted as part of the VAPT exercise.