IT Security. Risk Management. Business Intelligence.
Our Foundation, Your Advantage

 

 Risk Management

 Security Consulting Services

 Infrastructure Assessments

 Application Security
 Technology Solutions

 

 Application Security Code Review

Application security code review services offer line-by-line inspection of the application to determine any security flaws or backdoor that is left into the application. An application security code review is designed to highlight potential security vulnerabilities within the application based upon a defined application threat-model. It is intended to identify unsafe coding practices in areas, including but not limited to:

 

  • Authentication
  • Authorization
  • Session Management
  • Cryptography
  • Error Handling
  • Information Leakage
  • Data Validation and Language Specific Coding Issues
  • Our professionals are well versed in nearly all programming languages in use today, including: Java, C#, ASP, C / C++, Visual Basic, Perl, Python, TCL and assembly language on various platforms.

 

Our Approach

Our approach to Application Security Code Review typically involves the following steps:

  • Threat Modeling: High level threat model is designed with the coordination of development team which helps us understand the applications functionality and existing security threats. Risks identified in the Threat model tell us which code to look at first and deepest.
  • Automation: Use automated tools to assess the code for semantic and language security bugs and optimize the search for vulnerabilities like Cross Site Scripting (XSS), Injection flaws, File Canonicalization and other vulnerabilities that require extensive labour.
  • Manual Validation: Manual validation of significant issues is done and conducted in line-by-line inspection of the application code to find logical errors, insecure use of cryptography, insecure system configurations, and other known issues specific to the platform (e.g. buffer overflow etc.).
     

Typically our manual and tool-guided reviews will identify issues such as:

  • Poor enforcement of authentication and access control
  • Weak cryptographic algorithms and implementation
  • Insecure database access
  • Inadequate protection of data
  • Missing or weak security boundaries
  • Exploitable gaps in business logic
  • Poor resource management
  • Insufficient audit records
  • Vulnerability to well-known attacks such as: SQL injection, cross-site scripting (XSS), buffer overflows, and many others
  • Miscellaneous code quality and consistency issues
  • Non-compliance with organizational code development policies

 

What You Can Expect

 

  • Security Pros with Development/Engineering Background
  • Proven Methodology
  • Business Minded Approach
  • Excellent Reporting
  • Review and Explanation of all Discovered Findings
  • Realistic Recommendations for Remediation
  • Reduced Risk
     

Home | About Us | Contact Us | Privacy Policy | Terms of Use | Sitemap 
Powered by ePROneur.com