Source Code Review

Source Code Reviews are very efficient in finding bugs that can be challenging to find during Black Box or Grey Box assessments. Our experts and security architects conduct a fast and effective code review armed with a comprehensive checklist of typical implementation and architecture errors. Our team is hence able to quickly assess your code and provide you with a report comprising all vulnerabilities discovered during the analysis.

Source Code Review not only helps in identifying the statement on which line of code the vulnerability is but also helps in identifying the tainted variable that introduces the vulnerability. This approach illustrates the propagation from the root cause to the result. It provides application developers with an end to end overview of each instance of vulnerability, allowing them to understand the nature of the problem quickly.

As applications contain bugs, there exists a possibility that an attacker might be able to exploit some of them to impact or gain access to your information assets and capabilities. Applications are prone to be affected by these vulnerabilities, as they are updated frequently and deployed quickly in production in short durations without sufficient time for security testing. We have a rigorous methodology for reviewing application code. Our review process is specifically tailored to find vulnerabilities that commonly occur in applications.

Threat Modelling is one of the pre-requisites for our Security Audits as it provides a comprehensive view of the attack surfaces available on the target along with an idea of possible threat actors.

One of the primary goals for investing in a Threat Model for a given application is to prioritize the various components or functionalities of the given application based on its business criticality and threat exposure. It enhances the effectiveness of a Security Audit as well as productivity of the auditor(s) by focusing on critical components and functionalities in a prioritized manner.

Application Decomposition

The objective is to gain an understanding of the application and its interaction with external entities. Information gathering and documentation achieves this goal. The information-gathering process uses a clearly defined structure, which ensures that the correct information is collected. This structure also describes how the data should be documented to produce the Threat Model.

Threat Identification

The objective is to identify the threat affecting the application and its environment. Usually, both internal and external threats are enumerated and categorized. The Threat Model provides a methodology for the categorization of the identified risks to set priorities.

Attack Surface

A significant part of performing a security code review is analysing the attack surface. An application takes inputs and produces outputs of some kind. The attack of applications uses the streams for data and tries to give unexpected data to the application.

Input, for example, can be:

• Browser input
• Cookies
• Property files
• External processes
• Data feeds
• Service responses
• Flat files
• Command-line parameters
• Environment variables

The STRIDE Threat Model

The STRIDE Threat Model, developed and named by Microsoft Corporation, is a well-known approach for Threat Modelling web applications. Primarily the model consists of categorizing the threats into the following:

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

Depending on business cases and impact, different criticality ratings are associated with each category of threats.

METHODOLOGY

• Review of software documentation, coding standards, and guidelines
• Discussion with the development team
• Identification of security design issues
• Analysing the critical areas of application code that handle functions like authentication, session management, and data validation
• Identification of un-validated data vulnerabilities contained in the code
• Identification of poor coding techniques.
• Evaluating security issues specific to framework technologies

When the code review is complete, we provide you with a detailed list of design and code-level security vulnerabilities along with remedial steps for improving the overall development process.

BENEFITS

• Identification of exploitable security issues
• Helps in safeguarding the integrity and security of sensitive, business-critical data
• Enables secure extension of business applications
• Helps improve productivity by avoiding application downtime and increasing user confidence
• Supports user confidence in applica¬tion security
• Helps prevent application downtime and improve productivity
• Supports efforts to achieve and maintain compliance with govern¬ment and industry regulations