Source Code Review Assessment

Uncover software code design and implementation flaws

Our source code review assessment uncover security vulnerabilities and their development root causes in the source code of mission-critical business applications.

It is a general belief that web application security scanning is sufficient enough to identify vulnerabilities within the web applications. However, there is always true as it is a possibility of missing out some critical vulnerabilities at your applications. At zSecure, we have complemented the application scanning on your application with our proven record of providing source code review to our Customers with the objective to determine an organization’s exposure to software security risk of its application. Our solution is designed to provide you with the quality assurance to your application.

With our Source Code Review service, zSecure consultants will help the Customer understand the risk associated with the application by analyzing the software’s source code and providing a comprehensive list of vulnerabilities. A detailed summary of all vulnerabilities is produced along with a description of the underlying code issues and methods to address the vulnerabilities.



IDEAL TIME FOR CODE REVIEW


Methodically reviewing your software code for any latent security issues before release is something that just begs for an independent 3rd party who has proven expertise in deep manual pen testing. It’s well known that security is often seen as a barrier to building easy-to-use software; it often adds cost; and it can slow down releases. It’s also likely that your application programmers are not security experts. But even if your developers do have some security expertise and experience – that can raise a legitimate flag too. That experience may result in them unilaterally baking some well-intentioned security decisions into the code that may in fact be only one of a number of options that they could have implemented. In cases like this, it might make sense to seek out a true security expert’s opinion on the developer’s security design decisions before the software goes into full production.


BENEFITS OF ENGAGEMENT WITH US


Our secure coding experts have tested and done code reviews for a large variety of programming languages such as C, C++, Java, PHP, CGI, J2EE, Perl, ASP, and .NET systems. We have expanded our capabilities across mobile app code reviews on Android, Windows, iOS, and Blackberry platforms. We can apply the same set of principles and methodologies to web as well as mobile environments. We pride ourselves in tailoring our reviews to look for problems specific to your needs and architecture.

We strongly suggest that code reviews should be a regular event during the project development cycle, because the cost and effort of fixing security flaws at development time is far less than fixing them later, during product deployment or maintenance cycles. Security code reviews done earlier in the development process provide a quick way for new developers to learn how to identify common security defects saving significant time and money during the testing and debugging phase. In terms of pure return on investment, a source code review brings far more to the table than periodic penetration tests.






OUR APPROACH TO CODE REVIEW


zSecure code review services are primarily focused on looking for design flaws and implementation bugs.

  • Design flaws can mean poor design ideas like choosing an inappropriate source of randomness for cryptographic key generation, or a weak or non-compliant authentication solution;
  • Implementation bugs are typically syntactical or semantic language constructs that lead to security vulnerabilities

Our code review will validate the security of both your application design and its underlying code as accomplished in a pre-production environment. First, an in-depth static code review (visual inspection, assessment scans, etc.) will be completed. Then, as called for, an aggressive manual pen testing process will take place to verify any suspected vulnerabilities.

Finally, based on our static code review and manual pen testing work, we might also recommend that you hire us after release to test the software in its full production environment (i.e., on the actual production server, plugged into the network, and fully enabled for its real mission). This makes sure that any platform, operating system, middleware, networking or other issues that could be exploited by an attacker – with or without login credentials – will be brought forward to your security team sooner rather than later.


OUR DELIVERABLES


We deliver a detailed and comprehensive report at the conclusion of each security assessment. All our reports are highly customizable depending on requested reporting requirements and typically include an executive summary, detailed technical findings and recommendations, and illustrative walkthroughs of all exploitation steps performed.