Secure Code Review
Code reviews are arguably the most effective way to evaluate application security. If done during the development process, it is also the most cost effective.
Secure code reviews are part of software security best practices. Significant improvements in software security can be realized through a formal review of its design and coding. We use a combination of both manual and automated testing. Static and dynamic testing tools are very helpful in some respects but they do not replace the need for manual review. There is no substitute to actually looking at the code.
Methodology
At a high level, the methodology that we follow for our secure code reviews is as follows:
- Gain an understanding of the applications function (interview developers, review existing documentation)
- Perform threat analysis (threat agents, attack surface, possible attacks, required security controls, potential technical impacts, and important business impacts)
- Identify existing and potential countermeasures
- Conduct manual and automated tests (data validation, authentication, session management, authorization, cryptography, error handling, logging, security configuration, network architecture, logic, etc)
- Reporting
- Remediation / mitigation
- Training (testing after code is written is far less effective than writing secure code in the first place; we help train developers to write their code more securely and thereby reduce future costs)
- Reassessment