VSEC’s source code review services help uncover unexpected and hidden vulnerabilities and design flaws in source codes. We use a mix of scanning tools and manual review to detect insecure coding practices, injection flaws, cross site scripting flaws, backdoors, weak cryptography, insecure handling of external resources, etc.
2. WHY DOES CODE HAVE
VULNERABILITIES?
Almost 700 different kinds of software weaknesses have
been catalogued by MITRE in their CWE project. These are
all different ways of mistakes that software developers can
make and that lead to insecurity. Each of these
weaknesses is hard to recognize and many are very tricky.
Software developers lack training about these weaknesses
and problems, both at school and at work.
These problems have become so important in
recent years because connectivity has been
increased and technologies and protocols
continuously added at a shocking rate. Man’s
ability to invent technology has seriously
outpaced their security capability. Security
issues have not been considered carefully for
many of the technologies in use today.
Vietnam Security Network JSC – Application Security Assessment Services
3. There are many reasons why businesses are not
spending enough time on security.
This results from the nature of the software market.
As software is like a black box, it is extremely
difficult to explain to the client about the different
between good code and insecure code.
However, there are many people ignoring security code review. They
said, “We never get hacked (that I know of), we don’t need security”,
“We have a firewall that protects our applications”, "We trust our
employees not to attack our applications".
For these people, if they do not even know what risks they are taking,
they are being irresponsible both to their shareholders and their
customers.
This lack of
visibility
would not
motivate
buyers to
pay more for
secure code,
and vendors
to spend
more
resources on
producing
secure code.
Vietnam Security Network JSC – Application Security Assessment Services
4. WHAT IS SOURCE CODE
REVIEW ?
Source code review is the process
of auditing the source code for an
application to check if proper
security controls are in place, if
they work as intended, and if they
have been invoked in all the right
places. The aim of source code
review is to ensure “self-defense”
of the application in its given
environment.
2
Source code review helps assure secure application developers are
following secure development techniques. Normally, any additional
application vulnerabilities related to the developed code should not be
discovered in a penetration test after the application has undergone a
proper source code review.
In a source code review, human effort and technology support should be
used in combination. Expertise is required to use the current application
security tools effectively. Tools can be used to review source code, but
they always need verification by people. People understand context, while
tools do not. Large amounts of code can be scanned automatically by
tools and possible issues discovered, but a person is needed to verify
every single result to determine if it is a real issue, if it is actually
exploitable, and calculate the risk to the company.
There are also significant blind spots where automated tools simply
cannot check and human reviewers are also necessary.
Vietnam Security Network JSC – Application Security Assessment Services
5. VSEC SOURCE CODE REVIEW
SERVICES3
VSEC’s source code review services help uncover
unexpected and hidden vulnerabilities and design
flaws in source codes. We use a mix of scanning tools
and manual review to detect insecure coding
practices, injection flaws, cross site scripting flaws,
backdoors, weak cryptography, insecure handling of
external resources, etc.
VSEC understands how to exploit vulnerable
applications, since we are penetration testers.
From this unique position, we offer Source
Code Review services from the perspective of
how an attacker can take advantage of poorly
written code.
We check at least the security of the source
code in the following areas:
Vietnam Security Network JSC – Application Security Assessment Services
6. We also analyze source code for
vulnerabilities under the OWASP Top 10
Vietnam Security Network JSC – Application Security Assessment Services
7. SOURCE CODE REVIEW
PROCESS4
Preparation
Analysis
Solutions
In preparation for a
source code review,
it is necessary to
conduct a thorough
study of the
application, and then
create a
comprehensive
threat profile.
VSEC’s engineers
study the code
layout to develop a
specific code
review plan, and
use a hybrid
approach
combining
automated scans
and custom
manual review.
After analysis, the
next step in the
source code review
process is to verify
existing flaws and
generate reports
with
recommended
solutions.
Vietnam Security Network JSC – Application Security Assessment Services
8. ADVANTAGES
5
Fast Delivery
Through code analysis, we easily detect flaws and avoid the
need to send test data to the application or software since
access to the entire code base of the application is available.
Thorough Analysis
We evaluate the entire code layout of the application
including areas that would not be analyzed in an application
security test such as entry points for different inputs,
internal interfaces and integrations, data handling and
validation logic, and the use of external API’s and
frameworks.
Going Beyond Testing Limitations
VSEC uncovers vulnerabilities and detects attack surfaces
missed out by automated code scans, using source code
reviews. Through this process, we identify design flaws,
detect weak algorithms, insecure configurations and
insecure coding practices.
Vietnam Security Network JSC – Application Security Assessment Services
9. Reporting
We produce source code review reports with an executive
summary on strengths and weaknesses and detailed findings
that include precise code based solutions and fixes.
We Provide Solutions
VSEC secures sensitive data storage and suggests precise
solutions customized for your developers with code level
suggestions with more exhaustive checks to find all instances
of common vulnerabilities.
Compliance
We help satisfy industry regulations and compliance
standards, such as PCI DSS standards, etc.
Vietnam Security Network JSC – Application Security Assessment Services
Vietnam Security Network Joint Stock Company
Address: Floor M, Block A, 275 Nguyen Trai Street, Thanh Xuan Dist., Hanoi, Vietnam
Phone: (+844) 666 406 99 – Hotline: (+849) 04 861 337
Email: contact@vsec.com.vn