What If a Gateway for Hackers Was Hidden in Your Source Code?

24. October 2019

Code Review – the Supreme Discipline of Security Analyses

Businesses today invest a lot in a wide range of security measures to protect their infrastructures from attacks. These include working with certified vendors, ensuring secure business operations, training employees to increase their security awareness, implementing an incident response process and much more. But what if the affected application already has a built-in security gap that nobody knows about?

In a Code Review, the supreme discipline of security analyses, the source code of an application is examined. Professional security analysts detect vulnerabilities in the code that allow attackers to view, modify or steal sensitive data without permission.When Should You Consider a Code Review?

We recommend performing code reviews in addition to pentests when there is a need for protection and the risk of an attack is very high, i.e. for security-critical applications that allow access to sensitive data such as customer data, personal data or business secrets. This particularly applies to in-house developments.What Procedures Are Used in a Code Review?

Depending on the application and the circumstances, different analytical methods are used: static and manual analyses, or a combination of the two. Various tools are used for static analyses. In order to identify entry points, the data flow is analyzed automatically so that dependencies and correlations of the data or control flow can be identified.

If errors in the source code are based on business logic, static analysis methods reach their limits. For instance, the analysis tool cannot judge whether the data will be displayed, saved, created or modified as planned. In the first step, the security analyst manually verifies the identified vulnerabilities of the static code analysis. This detects false positives, i.e. false reports from the analysis tool. Afterwards, the source code is manually checked for vulnerabilities. This can also identify errors in the business logic (is it possible to gain unauthorized access to file systems and services?).What Insights does a Code Review Provide?

In addition to a comprehensive overview of the security situation of an application, a code review also provides valuable input about the quality of development processes in order to ensure more security in software development. Are established Secure Coding Guidelines and Best Practices being observed? Is the development staff well trained? What risks to the application are caused by insecure code? What entrepreneurial risks are associated with this? Which technical and organizational measures should be implemented to increase the security level?

Are you wondering if your application is secure? The security analysts at usd HeroLab will thoroughly examine your code. We are happy to advise you on your options

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for...

Categories

Categories