Application Code Review – Manual

Green Method’s Team of Application Code Review Specials are among the best in the industry. Our unique approach to application code review takes a practical methodology to identifying source code defects from a security posture perspective.

The intent of these services is to ensure that applications are not developed with code related security issues embedded in the application, which will later lead to vulnerabilities and insecure applications. Our services include practical recommendations on how to address identified issues allowing developers to fast-track the mitigation process, hereby allowing a quicker time-to-service for new applications, while still delivering secure applications. The services can be delivered across a number of development languages such as JAVA, C, Python, Ruby on Rails etc.

The security code review is performed keeping in mind the industry best practices used for secure coding – like the Open Web Application Security Project (OWASP).
Typically, the following sets of activities will be performed in a chronological order.

Application Profiling

Application Profiling

This first phase of the code review exercise involves the security consultants (reviewers) being introduced to the application functionality by the code authors (developers). The application will be functionally demonstrated by the developers which helped the reviewers glean understanding on the basic functionality of the application. This would assist the reviewers (in the further part of the assessment) in identifying any business logic security vulnerability that could exist in the application. This also helped the reviewers identify the following important aspects of the application

  • Input Vectors
  • Output Vectors
  • Critical Data Assets
Detailed Code Walkthrough

Detailed Code Walkthrough

The next phase of the assessment involves the reviewers being taken through the application code from a functional standpoint. This is a very important piece of the assessment as this would enable the reviewers to perform the code review on the code base with the imparted knowledge of the dependencies between the various moving parts of the application.

Code Review

Code Review

This is the central and the most critical phase of the assessment. The reviewers, with the knowledge of the application functionality and the relevant supporting code reviewed the code-base for potential loop holes and/or vulnerabilities which could be exploited by an external or an internal attacker. The code review was performed keeping in mind the expectations and the guidelines as set forth by the PCI- DSS v3.0, OWASP Top 10 2013, CERT – US Coding Guidelines and the industry best coding practices for applications.

Threat Modeling

Threat Modeling

An important part of the code review exercise is identifying the various threats (externally or internally) that could be posed to an application. The threat modeling exercise lists down an exhaustive set of possible attacks that can be launched against the application keeping in mind the acquired knowledge of the functionality and the profiling of the application that was performed in the earlier stage of the assessment. The threats are broadly classified under 6 major categories as put forth by Microsoft’s STRIDE model. Please note that a Threat Model is not based on the vulnerabilities of an application. It is based on attack scenarios that might be possible, given the lack of security controls in the application.

  • Spoofing
  • Tampering
  • Repudiation
  • Information Leakage/Disclosure
  • Denial of Service
  • Elevation of Privileges

Every potential threat vector to the application is categorized under one of the above listed six categories.

Code Analysis

Code Analysis

The code analysis phase of the assignment involved the reviewers actually going through the code base looking for possible security loopholes through both manual and automated code review techniques. Each hand-written code was inspected for the presence and/or absence of controls that could prevent the application from being exploited through one of the above-mentioned STRIDE based threats. Further automated scripts (which were written by the reviewers’ onsite within the workspace) were run against the code-base to drill down and extract lines of code that contained specific expressions or usage of code snippets that could potentially pose a threat to the application. These too, were manually inspected to avoid instance of false-positives or justified usage. The code analysis was carried out to also inspect the application’s inherently present controls as a defense mechanism to the above mentioned threats. The following specific areas of security were inspected in detail

  • Authentication
  • Authorization
  • Cryptography
  • Logging
  • Data Input Validation and Output Encoding
  • Error/ Exception Handling
  • Session Management
Analysis and Reporting

Analysis and Reporting

The final phase of the Code Review exercise is the analysis and reporting of the various findings that were enumerated during the course of the exercise. The entire set of findings are cumulated and rated based on the following parameters:

  • Risk of the Vulnerability
  • Probability of Occurrence
  • Business Impact of Exploit

Based on the combination of the above-mentioned parameters and Risk Management metrics, the findings will be categorized as High, and otherwise. The reporting also involves suggestions of appropriate remediation strategies that would be incorporated in the applications.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt