UK
Uploaded byUsman Khan
PPTX, PDF370 views

Application Source code review Services

The document highlights the shortcomings in the Software Development Life Cycle (SDLC) regarding security focus, developer awareness, and adherence to standards. It emphasizes the need for a comprehensive review of business processes, application architecture, and critical security aspects like authentication and data validation. Strategies for improvement include protective and preventive measures, as well as utilizing automated and manual code reviews across various programming platforms.

Embed presentation

Download to read offline
Source Code Review The DTS Approach – Usman Khan
Why ? • SDLC – Security Not focused. • Less trained and awareness of developers. • Not following standards. • QA focus more on application functions delivery. • Beta testing can not generate security scenarios or risks. • SRS are too much focused towards.
What : The processes to secure. • Identify all Business processes. • Critical processes Review. • Type of data dealing with every process. • Prioritization of processes. • Business Process processes communication. • Identifying Approach of Application Designer/Architect. Application Architecture Focus
How - Looking at the Big Picture • Intent of Code Review. • Previous Breaches. • Major weaknesses in Business processes. Deployment. Application Model Authentication. Authorization. Session management. Data validation. Error handling. Memory allocation. SQL Parsing. Logging. Encryption. Boundary Checks. Concentrate on critical points.
Strategies • Protective strategy. • Preventive Strategy. • Deception. • Breaking your own system. • Code Exposure.
Service Delivery • Secure Application Architecture Review. • Secure Application Deployment Review. • Source Code Review of multiple platforms like .NET C/C++, Java , Ruby etc. etc. • Automated testing – Static and Dynamic Code Reviews ESC/Java (Extended Static Checking for Java) VCG – Java, C/C++, C#, PL/SQL BugScout – All Platform FxCop – Managed .NET Code RIPS - PHP PScan - C/C++ Scans Flawfinder – C/C++ Scans RATS (Rough Auditing Tool for Security) – C/C++ , PHP, Perl, Python • Manual Reviews • VAPT Review of reports.

More Related Content

PPTX
Application lifecycle management
byAchintya Kumar
 
PPTX
Testing Tools and Tips
bySoftServe
 
PPT
The security sdlc
byMohamed Siraj
 
PDF
Non-Functional Requirements
byYuriy Guts
 
PPTX
Agility reboot iv
byAndrew Chum
 
PDF
Software Infrastructure requirements elicitation and design roadmap - Innovat...
byInnovate Vancouver
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PPTX
Adressing nonfunctional requirements with agile practices
byMario Cardinal
 
Application lifecycle management
byAchintya Kumar
 
Testing Tools and Tips
bySoftServe
 
The security sdlc
byMohamed Siraj
 
Non-Functional Requirements
byYuriy Guts
 
Agility reboot iv
byAndrew Chum
 
Software Infrastructure requirements elicitation and design roadmap - Innovat...
byInnovate Vancouver
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Adressing nonfunctional requirements with agile practices
byMario Cardinal
 

What's hot

PPT
Network security
byNur Aishah Roslan
 
PPTX
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
PDF
Non-Functional Requirements
byDavid Simons
 
PPTX
Software test engineer
byAbdul Riyaz
 
PPT
Ch01
byKodok Ngorex
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
OWASP Top 10 practice workshop by Stanislav Breslavskyi
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
PPT
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
byqqlan
 
PDF
Building Quality in Legacy Systems - The Art of Asking Questions
byMufrid Krilic
 
PPT
Ch02
byKodok Ngorex
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
PPTX
Security Testing - Tools & Techniques
byRamakrishnan Seshagiri
 
Network security
byNur Aishah Roslan
 
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
Non-Functional Requirements
byDavid Simons
 
Software test engineer
byAbdul Riyaz
 
Ch01
byKodok Ngorex
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
byNazar Tymoshyk, CEH, Ph.D.
 
Digital Product Security
bySoftServe
 
Security as a new metric for Business, Product and Development Lifecycle
byNazar Tymoshyk, CEH, Ph.D.
 
Sergey Gordeychik, Security Metrics for PCI DSS Compliance
byqqlan
 
Building Quality in Legacy Systems - The Art of Asking Questions
byMufrid Krilic
 
Ch02
byKodok Ngorex
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
Security Testing - Tools & Techniques
byRamakrishnan Seshagiri
 

Viewers also liked

PPTX
Code review process with JetBrains UpSource
byOleksii Prohonnyi
 
PDF
Code Review Tool Evaluation
byKate Semizhon
 
PDF
Rolling Out An Enterprise Source Code Review Program
byDenim Group
 
PPT
Code Review
byRavi Raj
 
PPTX
Utility libraries to make your life easier
byOleksii Prohonnyi
 
ODP
Scada Security & Penetration Testing
byAhmed Sherif
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPTX
Introduction to Penetration Testing
byAndrew McNicol
 
PDF
DTS Solution - SCADA Security Solutions
byShah Sheikh
 
PPTX
Scada Industrial Control Systems Penetration Testing
byYehia Elghaly
 
PPTX
Cloud security ppt
byVenkatesh Chary
 
PPTX
Cloud Computing Security
byNinh Nguyen
 
PPT
Network Security Threats and Solutions
byColin058
 
Code review process with JetBrains UpSource
byOleksii Prohonnyi
 
Code Review Tool Evaluation
byKate Semizhon
 
Rolling Out An Enterprise Source Code Review Program
byDenim Group
 
Code Review
byRavi Raj
 
Utility libraries to make your life easier
byOleksii Prohonnyi
 
Scada Security & Penetration Testing
byAhmed Sherif
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
Penetration Testing Basics
byRick Wanner
 
Introduction to Penetration Testing
byAndrew McNicol
 
DTS Solution - SCADA Security Solutions
byShah Sheikh
 
Scada Industrial Control Systems Penetration Testing
byYehia Elghaly
 
Cloud security ppt
byVenkatesh Chary
 
Cloud Computing Security
byNinh Nguyen
 
Network Security Threats and Solutions
byColin058
 

Similar to Application Source code review Services

PPTX
How To Avoid Continuously Delivering Faulty Software
byErika Barron
 
PPTX
How to Avoid Continuously Delivering Faulty Software
byPerforce
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Static Code Analysis
byObika Gellineau
 
PPTX
Secure App Aspirations: Why it is very difficult in the real world
byOllie Whitehouse
 
PPTX
Static analysis for security
byFadi Abdulwahab
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PPTX
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
PPTX
Software engineering
byGuruAbirami2
 
PPTX
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
PPT
Software Security Engineering
byMarco Morana
 
PPTX
Hacker vs Tools: Which to Choose?
bySecurity Innovation
 
PPTX
Hacker vs tools
byGeoffrey Vaughan
 
PPTX
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Verifcation &validation
byssusere50573
 
PPTX
prepare a complete 2 hours lecture for me on the topic of "source code analys...
bysabaamina001
 
PPTX
Software_Testing_Presentationsinsds.pptx
bycharushresthaa
 
How To Avoid Continuously Delivering Faulty Software
byErika Barron
 
How to Avoid Continuously Delivering Faulty Software
byPerforce
 
AppSec in an Agile World
byDavid Lindner
 
Static Code Analysis
byObika Gellineau
 
Secure App Aspirations: Why it is very difficult in the real world
byOllie Whitehouse
 
Static analysis for security
byFadi Abdulwahab
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
Introduction of Secure Software Development Lifecycle
byRishi Kant
 
Software engineering
byGuruAbirami2
 
Secure SDLC in mobile software development.
byMykhailo Antonishyn
 
Software Security Engineering
byMarco Morana
 
Hacker vs Tools: Which to Choose?
bySecurity Innovation
 
Hacker vs tools
byGeoffrey Vaughan
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
byQADay
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
Software security engineering
byAHM Pervej Kabir
 
Software security engineering
byAHM Pervej Kabir
 
Verifcation &validation
byssusere50573
 
prepare a complete 2 hours lecture for me on the topic of "source code analys...
bysabaamina001
 
Software_Testing_Presentationsinsds.pptx
bycharushresthaa
 

Recently uploaded

PDF
Top 3 Snapchat Monitoring Apps of 2026 for Activity Tracking
byMichael Carter
 
PDF
The Girl Who Left a Mark - Deep Impact of Kindness to a person
byAnoop Singh Nagi
 
PPTX
Your Complete Brand Protection Guide with Fieldwatch.ai!
byFieldwatch ai
 
PDF
Beacon Kit paper date: 11 February 2026 pdf
bySteven McGee
 
PPTX
AWS Architecture Design Icons Template.pptx
bybiqtor1
 
PPTX
Living in IT Era Module 5 - (DIGITAL TECHNOLOGY AND SOCIAL CHANGES).pptx
bycjregua03
 
PDF
Weaponizing the Neutral Web: Analyzing Adversary Botnets for Offensive Cyber ...
byJoe Slowik
 
Top 3 Snapchat Monitoring Apps of 2026 for Activity Tracking
byMichael Carter
 
The Girl Who Left a Mark - Deep Impact of Kindness to a person
byAnoop Singh Nagi
 
Your Complete Brand Protection Guide with Fieldwatch.ai!
byFieldwatch ai
 
Beacon Kit paper date: 11 February 2026 pdf
bySteven McGee
 
AWS Architecture Design Icons Template.pptx
bybiqtor1
 
Living in IT Era Module 5 - (DIGITAL TECHNOLOGY AND SOCIAL CHANGES).pptx
bycjregua03
 
Weaponizing the Neutral Web: Analyzing Adversary Botnets for Offensive Cyber ...
byJoe Slowik
 

Application Source code review Services

  • 1.
    Source Code Review TheDTS Approach – Usman Khan
  • 2.
    Why ? • SDLC– Security Not focused. • Less trained and awareness of developers. • Not following standards. • QA focus more on application functions delivery. • Beta testing can not generate security scenarios or risks. • SRS are too much focused towards.
  • 3.
    What : Theprocesses to secure. • Identify all Business processes. • Critical processes Review. • Type of data dealing with every process. • Prioritization of processes. • Business Process processes communication. • Identifying Approach of Application Designer/Architect. Application Architecture Focus
  • 4.
    How - Lookingat the Big Picture • Intent of Code Review. • Previous Breaches. • Major weaknesses in Business processes. Deployment. Application Model Authentication. Authorization. Session management. Data validation. Error handling. Memory allocation. SQL Parsing. Logging. Encryption. Boundary Checks. Concentrate on critical points.
  • 5.
    Strategies • Protective strategy. •Preventive Strategy. • Deception. • Breaking your own system. • Code Exposure.
  • 6.
    Service Delivery • SecureApplication Architecture Review. • Secure Application Deployment Review. • Source Code Review of multiple platforms like .NET C/C++, Java , Ruby etc. etc. • Automated testing – Static and Dynamic Code Reviews ESC/Java (Extended Static Checking for Java) VCG – Java, C/C++, C#, PL/SQL BugScout – All Platform FxCop – Managed .NET Code RIPS - PHP PScan - C/C++ Scans Flawfinder – C/C++ Scans RATS (Rough Auditing Tool for Security) – C/C++ , PHP, Perl, Python • Manual Reviews • VAPT Review of reports.

Editor's Notes

  • #5 Implementation – in coherence and present behind a firewall, does give access to database ? Server/client signatures verification to execute application. Application Model – MVC , three tier, Hierarchical Pattern, Authentication – The user has permissions to access the process and most importantly data associated with it. Authorization – Is authorization implemented , the level of access is being checked or not. Session Management – the time of staying logged in , logging in from multiple location , geo location sessions check. Data Validation – Is the data validated both on server and client side or at multiple tiers. Error Handling – Incase of error or unexpected situation does it is handled, if hacker breaches it from one layer than can you ensure it the error is handled at all level. Memory Allocation – Is the memory used and declared as per needed or extensible – why? If hacker can break all validation checks will he be able to generate memory or buffer overflow. Logging- Style of logs ? Security of logs and are the standards maintained to support SIEM and central logging. Boundary Checks- To meet special conditions at boundaries.
  • #7 We perform automated and manual testing for entire application in addition to secure architecture and secure deployment. These Review reports are than sent to VAPT team for further analysis and final report.