Green Method’s Team of Application Code Review Specials are among the best in the industry. Our unique approach to application code review takes a practical methodology to identifying source code defects from a security posture perspective.
The intent of these services is to ensure that applications are not developed with code related security issues embedded in the application, which will later lead to vulnerabilities and insecure applications. Our services include practical recommendations on how to address identified issues allowing developers to fast-track the mitigation process, hereby allowing a quicker time-to-service for new applications, while still delivering secure applications. The services can be delivered across a number of development languages such as JAVA, C, Python, Ruby on Rails etc.
The security code review is performed keeping in mind the industry best practices used for secure coding – like the Open Web Application Security Project (OWASP).
Typically, the following sets of activities will be performed in a chronological order.
This first phase of the code review exercise involves the security consultants (reviewers) being introduced to the application functionality by the code authors (developers). The application will be functionally demonstrated by the developers which helped the reviewers glean understanding on the basic functionality of the application. This would assist the reviewers (in the further part of the assessment) in identifying any business logic security vulnerability that could exist in the application. This also helped the reviewers identify the following important aspects of the application
The next phase of the assessment involves the reviewers being taken through the application code from a functional standpoint. This is a very important piece of the assessment as this would enable the reviewers to perform the code review on the code base with the imparted knowledge of the dependencies between the various moving parts of the application.
This is the central and the most critical phase of the assessment. The reviewers, with the knowledge of the application functionality and the relevant supporting code reviewed the code-base for potential loop holes and/or vulnerabilities which could be exploited by an external or an internal attacker. The code review was performed keeping in mind the expectations and the guidelines as set forth by the PCI- DSS v3.0, OWASP Top 10 2013, CERT – US Coding Guidelines and the industry best coding practices for applications.
An important part of the code review exercise is identifying the various threats (externally or internally) that could be posed to an application. The threat modeling exercise lists down an exhaustive set of possible attacks that can be launched against the application keeping in mind the acquired knowledge of the functionality and the profiling of the application that was performed in the earlier stage of the assessment. The threats are broadly classified under 6 major categories as put forth by Microsoft’s STRIDE model. Please note that a Threat Model is not based on the vulnerabilities of an application. It is based on attack scenarios that might be possible, given the lack of security controls in the application.
Every potential threat vector to the application is categorized under one of the above listed six categories.
The code analysis phase of the assignment involved the reviewers actually going through the code base looking for possible security loopholes through both manual and automated code review techniques. Each hand-written code was inspected for the presence and/or absence of controls that could prevent the application from being exploited through one of the above-mentioned STRIDE based threats. Further automated scripts (which were written by the reviewers’ onsite within the workspace) were run against the code-base to drill down and extract lines of code that contained specific expressions or usage of code snippets that could potentially pose a threat to the application. These too, were manually inspected to avoid instance of false-positives or justified usage. The code analysis was carried out to also inspect the application’s inherently present controls as a defense mechanism to the above mentioned threats. The following specific areas of security were inspected in detail
The final phase of the Code Review exercise is the analysis and reporting of the various findings that were enumerated during the course of the exercise. The entire set of findings are cumulated and rated based on the following parameters:
Based on the combination of the above-mentioned parameters and Risk Management metrics, the findings will be categorized as High, and otherwise. The reporting also involves suggestions of appropriate remediation strategies that would be incorporated in the applications.