Code Review – the Supreme Discipline of Security Analyses
Businesses today invest a lot in a wide range of security measures to protect their infrastructures from attacks. These include working with certified vendors, ensuring secure business operations, training employees to increase their security awareness, implementing an incident response process and much more. But what if the affected application already has a built-in security gap that nobody knows about?
In a Code Review, the supreme discipline of security analyses, the source code of an application is examined. Professional security analysts detect vulnerabilities in the code that allow attackers to view, modify or steal sensitive data without permission.When Should You Consider a Code Review?
We recommend performing code reviews in addition to pentests when there is a need for protection and the risk of an attack is very high, i.e. for security-critical applications that allow access to sensitive data such as customer data, personal data or business secrets. This particularly applies to in-house developments.What Procedures Are Used in a Code Review?
Depending on the application and the circumstances, different analytical methods are used: static and manual analyses, or a combination of the two. Various tools are used for static analyses. In order to identify entry points, the data flow is analyzed automatically so that dependencies and correlations of the data or control flow can be identified.
If errors in the source code are based on business logic, static analysis methods reach their limits. For instance, the analysis tool cannot judge whether the data will be displayed, saved, created or modified as planned. In the first step, the security analyst manually verifies the identified vulnerabilities of the static code analysis. This detects false positives, i.e. false reports from the analysis tool. Afterwards, the source code is manually checked for vulnerabilities. This can also identify errors in the business logic (is it possible to gain unauthorized access to file systems and services?).What Insights does a Code Review Provide?
In addition to a comprehensive overview of the security situation of an application, a code review also provides valuable input about the quality of development processes in order to ensure more security in software development. Are established Secure Coding Guidelines and Best Practices being observed? Is the development staff well trained? What risks to the application are caused by insecure code? What entrepreneurial risks are associated with this? Which technical and organizational measures should be implemented to increase the security level?