Blog Post:
Security code review

Published: 2014-05-04 | Author: Eoin Keary

It is our belief that the use of code review as a part of our Grey-box security assessment approach is very effective for many compelling reasons:

Code review makes our findings more comprehensive and more accurate than any other assessment approach. Coupled with penetration testing code review is very effective. It offers you a 360 degree view of your application. Despite the common viewpoint, the use of code review makes reviews more cost-effective and also reduces the findings in subsequent penetration tests. Code review also empowers developers to write cleaner more secure code which over time can lower cost of ownership significantly.

We have a proven mobile smart-phone code review & grey-box assessment process which has been very successful in assisting our clients with identifying issues relating to privacy, secure design and technical security controls. Many of our clients are in the financial sector that is rapidly moving into the realm of smart-phone banking and financial services.

Out team has significant experience verifying the security of the code for complex enterprise and mobile smart-phone applications. We can review millions of lines of code every month across a wide range of technologies and frameworks. We have significant experience with most modern software languages and frameworks, including Java, .NET, C/C++, ASP, Oracle, Struts, Spring, Ajax, but to name a few.

Even if you didn't develop the code yourself, we are happy to work with your software provider which is a common situation in particular with mobile applications. Many vulnerabilities cannot be discovered without using code review and for many other flaws, code review is simply more effective than scanning or testing. Code review can verify if issues which have been proven difficult to assess using traditional assessment method. These include resource usage, availability issues, access control, encryption, data protection, logging, back-end system communications and usage.

Manual code review is also very useful in identifying the attack surface or perimeter of an application, tracing how data flows through an application from its sources to its sinks. Manual code review helps us understand the security architecture, so that we can isolate architectural and design flaws. Security source code review improves compliance posture with regulations and control frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), COBIT, ISO 27001 (formerly 17799), GLBA.