The document discusses source code review as part of the software development lifecycle. It outlines why source code review is important due to security not being a focus during development. The processes described identify business processes, review critical processes, identify data used, prioritize processes, and review application architecture. The document also lists strategies for protective, preventive, and deceptive reviews, as well as breaking your own system. Services provided include secure architecture reviews, deployment reviews, source code reviews across multiple platforms, automated testing, and manual reviews.
2. Why ?
• SDLC – Security Not focused.
• Less trained and awareness of developers.
• Not following standards.
• QA focus more on application functions delivery.
• Beta testing can not generate security scenarios or risks.
• SRS are too much focused towards.
3. What : The processes to secure.
• Identify all Business processes.
• Critical processes Review.
• Type of data dealing with every process.
• Prioritization of processes.
• Business Process processes communication.
• Identifying Approach of Application Designer/Architect.
Application Architecture Focus
4. How - Looking at the Big Picture
• Intent of Code Review.
• Previous Breaches.
• Major weaknesses in Business processes.
Deployment.
Application Model
Authentication.
Authorization.
Session management.
Data validation.
Error handling.
Memory allocation.
SQL Parsing.
Logging.
Encryption.
Boundary Checks.
Concentrate on critical points.
6. Service Delivery
• Secure Application Architecture Review.
• Secure Application Deployment Review.
• Source Code Review of multiple platforms like .NET C/C++, Java , Ruby etc. etc.
• Automated testing – Static and Dynamic Code Reviews
ESC/Java (Extended Static Checking for Java)
VCG – Java, C/C++, C#, PL/SQL
BugScout – All Platform
FxCop – Managed .NET Code
RIPS - PHP
PScan - C/C++ Scans
Flawfinder – C/C++ Scans
RATS (Rough Auditing Tool for Security) – C/C++ , PHP, Perl, Python
• Manual Reviews
• VAPT Review of reports.
Editor's Notes
Implementation – in coherence and present behind a firewall, does give access to database ? Server/client signatures verification to execute application.
Application Model – MVC , three tier, Hierarchical Pattern,
Authentication – The user has permissions to access the process and most importantly data associated with it.
Authorization – Is authorization implemented , the level of access is being checked or not.
Session Management – the time of staying logged in , logging in from multiple location , geo location sessions check.
Data Validation – Is the data validated both on server and client side or at multiple tiers.
Error Handling – Incase of error or unexpected situation does it is handled, if hacker breaches it from one layer than can you ensure it the error is handled at all level.
Memory Allocation – Is the memory used and declared as per needed or extensible – why? If hacker can break all validation checks will he be able to generate memory or buffer overflow.
Logging- Style of logs ? Security of logs and are the standards maintained to support SIEM and central logging.
Boundary Checks- To meet special conditions at boundaries.
We perform automated and manual testing for entire application in addition to secure architecture and secure deployment. These Review reports are than sent to VAPT team for further analysis and final report.