Security Code Review

Security Innovation offers a range of services that help organizations resolve vulnerabilities and weaknesses in a portfolio of enterprise applications, a stand-alone application, an embedded software system, or within the software development process itself.

Identify Code Constructs that Lead to Vulnerabilities

A Code Review analyzes existing codebase and locates code constructs that lead to security vulnerabilities. The result is a detailed report outlining code issues and suggested repairs for improved security - allowing teams to better understand problem areas of their code and prevent common logic errors and other mistakes in the future.

Our expert security team employs a combination of static analysis tools and “eyes on” manual review to uncover the highest number of flaws possible - and provides remediation for those coding errors. Code reviews may be executed against applications written in C, C++ C#, Visual Basic, Visual Basic.NET, ABAP, and a myriad of web technologies including Ruby, PHP, AJAX, and Perl.

Four-step Approach  

1. Identifying Security Code Review ObjectivesCode Review Steps

The first step is to conduct a threat model and understand the application architecture and technology used to build it. These objectives take the form of a set of vulnerability risks we will be looking for.

2. Performing the Preliminary Scan

During the preliminary scan we use a combination of static analysis and manual review to identify hot spots in the code – areas that are likely to contain more vulnerabilities than others. Security defects tend to cluster; the initial scan allows us to prioritize the highest risk areas for intensive coverage.

3. Conducting the Primary Code Review

During the primary code review Security Innovation engineers thoroughly review the code to find security issues that are commonly found. This review is aided by a question list that ensures the reviewer is looking for the right sets of issues for the application. Familiar vulnerabilities such as buffer overrun, cross site scripting and SQL injection are found in this step.

4. Performing the Final Review

The final review cycle is spent investigating issues that are unique to the application architecture. These are generally expressed as threats in the threat model or security specific features such as custom authentication or authorization routines.