Traditional penetration tests often focus on addressing threat actors with limited or no prior information about the target system. In some cases this is appropriate, but for maximum levels of assurance, a code review is often a sensible approach. Secur has a team of application security experts who are able to review source code in order to identify vulnerabilities and dangerous coding practises that would not be possible with traditional dynamic testing.
The team at Secur are among the highest qualified within the cyber security industry and have a wealth of experience and knowledge with application security services. To find out more about code review services, or other services such as red teaming, penetration testing and managed security services, please fill out a contact form and we’ll be in touch.
When is a source code review appropriate?
Generally speaking, source code review is appropriate whenever higher levels of assurance are required. With access to an applications source code, Secur are able to identify vulnerabilities that would otherwise be very difficult to find. As well as distinct vulnerabilities, a source code review typically reveals poor coding practices that are likely to lead to vulnerabilities in the future.
If any of the following points are applicable, a source code review is appropriate to consider:
- High impact and critical applications
- Open source software
- Acquired or outsourced applications
- Higher levels of assurance required
- One or more dynamic penetration tests have previously been conducted
How do Secur perform code review testing?
Secur will ensure that one or more consultants with relevant programming experience are assigned to the engagement. Each security consultant has a wealth of experience with application security.
Thorough understanding of the target application is necessary. The lead security consultant will spend time with an appropriate developer in order to gain an in depth understanding of the software, before commencing with the actual source code review testing process. This will include collaborative conversation which covers relevant items such as design, documentation, etc.
Unless there are specific concerns for Secur to focus on, it is important to achieve both breadth and depth of coverage. To that end, a hybrid approach of dynamic tooling and manual review is used. It is also useful to have access to a running version of the target system at the same time as the code review is performed, in order to maximise on context and verify findings in real time.
What is the output of a code review?
All code reviews result in a management and a technical report being written. The management report is designed for a non-technical audience and describes the overall security posture of the target system in terms of risk. The technical report is designed to be consumed by developers who need to understand the vulnerabilities in more detail. All of Secur’s reports are subject to a rigorous quality assurance process before being released.
Remedial advice is granular, relevant and actionable. Where common themes are identified, Secur will also address those from a higher level. Following the report delivery, Secur will conduct a debrief (or ‘readout’) with the partner organisation in order to assure full comprehension of the findings. After the debrief, Secur’s security consultants are on hand to answer any follow up questions about the security of the target application.