Source Code reviews are an effective method for finding bugs that can be difficult or impossible to find during black box or grey box testing. Our expert developers and security architects conduct a fast and effective code review armed with a comprehensive checklist of common implementation and architecture errors. Our expert team is hence able to quickly assess your code and provide you with a report containing all vulnerabilities discovered during the analysis part.

Source code analysis not only identifies which statement on which line of code is vulnerable, but is also able to identify the tainted variable that introduces the vulnerability. In this way it illustrates the propagation from root cause, to end result. This provides application developers with an end to end overview of each instance of vulnerability, allowing them to quickly understand the nature of the problem.

What is the methodology used for Source Code Review?
Here is a brief snapshot of our Code review methodology followed by our consultants:

  • Review of your software documentation, coding standards, and guidelines.
  • Discussion with your development team about the application.
  • Identification of security design issues by asking your developers a comprehensive list of security questions.
  • Analyze the areas in the application code which handle functions regarding authentication, session management and data validation.
  • Identification of un-validated data vulnerabilities contained in your code.
  • Identification of poor coding techniques allowing attackers to exploit them for launching targeted attacks.
  • Evaluation of security issues specific to individual framework technologies.
When the code review is complete, we'll provide you with a detailed list of design and code level security vulnerabilities as well as remedial steps for improving overall development process.

What are the challenges faced during Source Code Review
Since applications contain bugs; there exists a possibility that an attacker might be able to exploit some of them to impact or gain access to your information assets and capabilities. Web applications in particular are more be affected by these vulnerabilities, as they are frequently developed and deployed quickly in production in short durations without sufficient time spent in security testing. We have a rigorous methodology for reviewing web application code. Our review process is specifically tailored to find vulnerabilities that commonly occur in applications. We use a combination of both automated and manual techniques to conduct a source code review. Through the use of tools such as Checkmarx and Fortify, we are able to pick up vulnerabilities across large code-bases, and then narrow our focus onto security-specific modules of code (such as those implementing encryption or authorization) and also check for business logic issues.

Benefits of engagement with NII
Our secure coding experts have tested and done code reviews for a large variety of programming languages such as C, C++, Java, PHP, CGI, J2EE, Perl, ASP, and .NET systems. We have expanded our capabilities across mobile app code reviews on Android, Windows, iOS, and Blackberry platforms. We can apply the same set of principles and methodologies to web as well as mobile environments. We pride ourselves in tailoring our reviews to look for problems specific to your needs and architecture.

We strongly suggest that code reviews should be a regular event during the project development cycle, because the cost and effort of fixing security flaws at development time is far less than fixing them later, during product deployment or maintenance cycles. Security code reviews done earlier in the development process provide a quick way for new developers to learn how to identify common security defects saving significant time and money during the testing and debugging phase. In terms of pure return on investment, a source code review brings far more to the table than periodic penetration tests.

Related Articles/Blogs

Previous AssessmentSharepoint Security
Next AssessmentNetwork Audit