Secure code review

We help you provide a secure product to your customers with a good understanding the types of threats that are prevalent in the industry today.

A code review will be carried out on the product source code over several days as necessary based on the programming language type and product complexity. This will involve detailed analysis of the code and will output a list of vulnerabilities and areas where best secure code design practice can be improved. Specific and general mitigation and remediation options and ongoing consultancy to resolve these issues.

Providing a secure product to your customers requires a good understanding the types of threats that are prevalent in the industry today, how your product can be attacked and a full understanding of all the software used to build the product. With the shortage of cyber security skills in the industry and the increased time to market pressures, building and maintaining this knowledge and the expertise is critical.

Prerequisites

The following pre-requisites are required from the client:

  • Complete in scope code base
  • Line of code count
  • Technical overview of the product by development or architecture lead
  • Optional: working test environment
  • Optional: working build environment

From an electronic copy of the source code, a senior security consultant with in depth programming and secure development experience will review the code.

The Approach

Input/output Data Interfaces

Manual code tracing and automated testing to locate application interfaces and review sanitisation of input or output data. This testing is designed to locate potential injection vulnerabilities that may allow an attacker to send malicious input that affects the execution flow

Secure Coding Techniques

Further analysis will be performed to identify sections of code vulnerable to issues such as format string errors, race conditions, memory leaks, buffer overflows, integer overflows or command injection points.

Transport Security

Manual examination will be performed on the protection mechanisms for the network traffic. Improper use of PKI and SSL/TLS validation vulnerabilities will be investigated.

Cryptography

Code will be verified for cryptographic implementation errors that could affect the confidentiality and integrity of data: weak password generation systems, weak random number generators and incorrect use of high level cryptographic primitives.

Data Storage

A review will be carried out to test the protection measures for sensitive data storage. Including Compliance with data protection regulations, suitable use of operating system or platform storage mechanisms. Storage of personally identifiable information and appropriate storage of application sensitive security tokens or keys

Access Control

A review will be carried out to make sure that proper permissions are in place for interfaces, including IPC interfaces, network interfaces requiring authorisation/authentication, and filesystems.

Deliverable

In-depth report, broken down into 3 main parts:
1. Management Summary
2. Technical Overview
3. Detailed Technical Findings

Highlighting the vulnerabilities:
1. Type of RISK
2. The EFFECT of that RISK
3. Recommendations on how to address and mitigate vulnerabilities
4. Estimate of effort required to remediate any vulnerabilities identified