SECURE SOURCE CODE REVIEW

Brisk Infosec provides Secure Source security Code Review audits and the source code for an application to verify that the proper security controls are present, source code work as intended and have been invoked in all the right places. Our secure code review provides insight to what types of problems exist and helps the developers of an application to understand what classes of security issues are present. The goal of Brisk Infosec is to arm the developers with information which help them make the application’s source code more sound and secure.

NEED

Many organisations use automated tools for code review but it has been observed that this method has its own obvious limitations. Programmers often follow incorrect programming practices which lead to security loopholes. To mitigate these risks, thus it is important to perform code review to capture security loopholes.

METHODOLOGY

Threat Modelling

Proper threat modelling is the first step towards proper secure code review

Static / Dynamic Code Analysis

We run open source and proprietary static code analysis tool

Manual Review

We manually check security-sensitivity modules as well as a 100-point checklist to ensure maximum coverage.

Confirmation

Every finding is manually verified and we report only confirmed issues, saving valuable development time.

Brisk Infosec will check the security of the source code in the following areas:

  • Data Validation
  • Error Handling
  • Authentication
  • Authorization
  • Session Management
  • Logging
  • Encryption

STANDARDS

We follow the standards as per the client’s requirement and nature of the source code, such as:

  • OWASP
  • SDLC
  • NIST
  • OSSTMM

BENEFITS

  • Secure code review helps to maintain a level of consistency in software design and implementation.
  • The secure code helps in identifying security bugs that generally occurs during penetration tests and dynamic security tests.
  • Finding bugs early code reviews help facilitate knowledge sharing across the code base and across the team.

FAQ

Why do we need to perform secure source code review?
Integrating security testing throughout your development process doesn’t secure code for release until you’ve ensured that your applications have correctly implemented the security mechanisms.

How does secure source code help?
Secure source code review serves to detect all the inconsistencies that weren’t found in other types of security testing – and to ensure the application’s logic and the business code is sound.

How does it help the organisation financially?
Verifying the security of your code via a secure code review also serves to cut down on time and resources, imagine what it would take if vulnerabilities were detected after release.

What are the types of secure code review?
There are two type of secure code review

  • Automated secure source code review
  • Manual Secure source code review

FLYER