What is Security Source Code Review?
Security Source Code Review provides a deep analysis of software source code to search for accidental and malicious inbuilt security weaknesses.
Security source code review is generally used by clients with high risk applications to protect sensitive and confidential information, eg. financial, payment services, personal data, intellectual property. This service is also popular for applications with frequent and regular release cycles, for example - quarterly or less, as it becomes more cost effective than regular penetration tests.
A security source code review enables a scrutiny of application code to detect accidental security vulnerabilities and deliberate application backdoors. The code review is more exhaustive than an application penetration test and can be used, for example, to efficiently discover all instances of SQL injection and XSS and other certain other vulnerabilities in a given code set.
Overview of our service
Our security source code reviews are conducted at a client's site or remotely from one of our test centres using an on-site appliance. During a remote source code review the source code remains in the client's control on the client premises and is analysed remotely by a qualified security test engineer using the source code review toolset on the on-site appliance.
A hybrid approach to source code reviews blends automated scanning with intelligent human analysis. We use a combination of in-house developed and commercial tools:
- Plynt custom scripts (a series of perl, grep and regex scripts)
- Static code analyzers (source code scanners)
- Commercial tools, e.g. HP WebInspect
- Process, File and registry usage monitors
As part of this service, we benchmark web applications against the globally accepted software security standards. See Web Application Security Certification.
Key service attributes
The hybrid Security Source Code Review technique has been acknowledged as an efficient and innovative approach to code reviews.
- Greater test coverage through use of automated scripts to analyse the entire code base
- Business logic flaws and custom application backdoors detected
- Proprietary scripts are developed, customised and extended for each application and programming style
- Custom automated scripts used to identify suspicious code means greater efficiency
- Zero false positive findings, as human intelligence is used to verify each finding
- Rapidly changing applications are tested efficiently, regularly and cost effectively using differential source code review techniques
What you receive
The results of the tests are presented logically and clearly and are provided through an online secure portal (also downloadable as a PDF). The test report includes the following details:
- Executive summary
- Regulation compliance
- Vulnerability graph
- Detailed vulnerabilities
- Detailed steps
- Vulnerable code
- Solution
- Further reading
- Observations
- Title
- Description
- Solution
- Test plan
- Interpreting risk ratings
- Mitigation tracker
- Plynt Certification Criteria compliance
- OWASP Top 10
- PCI DSS compliance
- Secure coding guidelines
The reports provide a view of the findings ranked by risk level, helping you prioritise on the areas of greatest risk. Clear guidance and concise solutions are included to help you quickly eliminate all vulnerabilities found.
What to do next
Contact us on 0844 488 0963, email us at info@securityalliance.co.uk or complete our Enquiry Form to discuss requirements, get an online demonstration, request a sample report or arrange a meeting.