It is our belief that the use of application security code review (ASCR) as a part of our grey-box security assessment approach is very effective for many compelling reasons:
Code review makes our findings more comprehensive and more accurate than any other assessment approach. Coupled with penetration testing code review is very effective. It offers you a 360 degree view of your application. Despite the common viewpoint, the use of code review makes reviews more cost-effective and also reduces the findings in subsequent penetration tests. Code review also empowers developers to write cleaner more secure code which over time can lower cost of ownership significantly.
Our team has significant experience verifying the security of the code for complex enterprise and mobile smart-phone applications. We can review millions of lines of code every month across a wide range of technologies and frameworks.
Even if you did not develop the code yourself, we are happy to work with your software provider which is a common situation in particular with mobile applications. Many vulnerabilities cannot be discovered without using code review and for many other flaws, code review is simply more effective than scanning or testing. Code review can verify if issues which have been proven difficult to assess using traditional assessment method. These include resource usage, availability issues, access control, encryption, data protection, logging, back-end system communications and usage.
Manual code review is also very useful in identifying the attack surface or perimeter of an application, tracing how data flows through an application from its sources to its sinks. Manual code review helps us understand the security architecture, so that we can isolate architectural and design flaws. Security source code review improves compliance posture with regulations and control frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), COBIT, ISO 27001 (formerly 17799) and GLBA.