What is Secure Code Review?
Security weaknesses introduced by software developers may not be easily detected by vulnerability assessments and penetration testing. Reviewing the source code of your custom-built applications for vulnerabilities or malicious code helps prevent security issues from going into production and is an important part of a secure development lifecycle.
Our secure code review approach uses manual analysis supported by tools to assess the target source code. We will identify common application defects, platform-specific programming flaws, as well as business logic, malicious code and other application specific vulnerabilities.
Secure Code Review Process
Run scanning tools to detect insecure constructs and generic errors
Perform manual review to detect authorization and logic flaws and other complex issues.
Analyze impact and severity of issues, and recommend corrective action.
Verify if previously detected vulnerabilities have been fixed adequately.
Automated vs. Manual Secure Code Review
Based on our experience in delivering secure code reviews for numerous clients and application environments, static code analyzers are of limited usefulness for the detection of authorization problems, logical flaws, malicious code and complicated weaknesses. Automated tools do not understand context and complexity.
Our approach is focused on performing a manual review and does not fully rely on automated scans. No review solely based on the output of a static code analyzer is capable of achieving your secure development objectives.
Frequently Asked Questions
How do you perform the secure code review?
We will first obtain an understanding of the application’s code by using various code comprehension techniques.
During the review, we will focus on the following critical application components:
- Access control components (authentication and authorisation implementation)
- External input handling (user input, file system input, sockets input, etc)
- Encryption implementation (key handling, modes of operation, etc)
- Internal data handling (DB interaction, application server communication, file system)
- Administrative module implementation
- Other critical code segments based on risk analysis
We will examine the source code for the following security weaknesses and vulnerabilities:
- Common application vulnerabilities (e.g. input validation, authentication and access control)
- Weak implementation of security functions (e.g. encryption, access control)
- Backdoors and malware
- Undocumented or unnecessary functionality
- Known language-specific vulnerabilities
- Application logic vulnerabilities
Do I need to send you my source code?
Secure code review can be conducted onsite in your organization’s premises if required. And we can install our tools on your machine if the source code cannot be transferred to our testing laptop.
If the source code can be transferred outside of the organization, we will provide a secure transfer mechanism to upload the source code to our secure testing laptop.
What tools do you use?
We use both commercial and open source tools which will depend on the development language used for the source code.
Yes, we are CREST accredited
Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.