Code Review

Waypoints In Our
Code Review Journey

Code Review – Service Overview

 Ensuring Application Security At Source Code

The Intent

To ensure applications developed aren’t embedded with code-related security issues, later leading to possible vulnerabilities.

The Services

  • Practical recommendations on how to address identified issues allowing developers to fast-track the mitigation process
  • Allowing a quicker time-to-service for new applications while still delivering secure applications
  • Deliverable in several development languages such as JAVA, C, Python, Ruby on Rails, etc.

Review Execution

The security code review is performed keeping in mind the industry best practices used for secure codings – like the Open Web Application Security Project (OWASP). Typically, it will involve the following activities in chronological order.

Application Profiling

Getting On The Same Page With Application Functionalities

The Code Review exercise commences with the security consultants (reviewers) being introduced to the application functionality by the code authors (developers). Here, the application is functionally demonstrated by the developers for the reviewers to glean an understanding of the application basics and the following important aspects:

  • Input Vectors
  • Output Vectors
  • Critical Data Assets
This would assist the reviewers (in subsequent assessments) to identify any business logic security vulnerability that could exist in the application.

Detailed Code Walkthrough

Dive Into The Code Base & Explore Dependencies

In this phase, the reviewers are taken through the application code from a functional standpoint. It’s an important piece of assessment enabling the reviewers to perform reviews on the code base, leveraging the imparted knowledge of the dependencies between the various moving parts of the application.

Code Review

Specialists Scrutinizing The Code Integrity

Following strict protocols

Reviews are performed keeping in mind the expectations and the guidelines as set forth by the PCI- DSS v3.0, OWASP Top 10 2013, CERT – US Coding Guidelines, and the industry best coding practices for applications.

A significant process

The central and most critical phase of the assessment. Armed with the functionality and code knowledge, reviewers review the code-base for potential loopholes and/or vulnerabilities, exploitable by an external or internal attacker.

Threat Modeling

Mapping The Threats In The Steps Of STRIDE

In the code review, it’s important to identify the various threats (external or internal) to an application. The threat modeling exercise lists an exhaustive set of possible attacks that can be launched against the application. The exercise is conducted considering the acquired knowledge of the functionality and the profiling done earlier.

The threats are broadly classified under 6 major categories, as put forth by Microsoft’s STRIDE model.

  • Spoofing
  • Tampering
  • Repudiation
  • Information Leakage/Disclosure
  • Denial of Service
  • Elevation of Privileges
Note: A Threat Model is not based on the vulnerabilities of an application. It is based on attack scenarios that might be possible, given the lack of security controls in the application.

Code Analysis

Cementing The Code Review Results With A Deeper Dive

Under code analysis, reviewers go through the codebase, looking for possible security loopholes, through both manual and automated code review techniques.

The following specific areas of security are
inspected in detail:

  • Authentication
  • Authorization
  • Cryptography
  • Logging
  • Data Input Validation and Output Encoding
  • Error/ Exception Handling
  • Session Management

Each hand-written code is inspected for the presence and/or absence of controls that could prevent the application from being exploited through one of the STRIDE based threats.

Automated scripts (written by the reviewers’ onsite) are run against the code-base to drill down and extract lines of code that contained specific expressions or usage of code snippets that could potentially pose a threat to the application.

The scripts are inspected manually to avoid instances of false-positives or justified usage. The code analysis is carried out to also inspect the application’s inherently present controls as a defense mechanism to the threats.

Analysis and Reporting

Outcome – In One Shot

The final phase of Code Review is the analysis and reporting of the various findings enumerated during the exercise. The entire set of findings are accumulated and rated based on the following parameters:

  • Risk of the Vulnerability
  • Probability of Occurrence
  • Business Impact of Exploit

Based on the combination of these parameters and Risk Management metrics, the findings are categorized as High, and otherwise. The reporting also involves suggestions of appropriate remediation strategies to be incorporated in the applications.

Cement The Robust Health Of
Your Application Code