Application
Waypoints In Our
Code Review Journey
Code Review – Service Overview
Ensuring Application Security At Source Code
Review Execution
The security code review is performed keeping in mind the industry best practices used for secure codings – like the Open Web Application Security Project (OWASP). Typically, it will involve the following activities in chronological order.
Application Profiling
Getting On The Same Page With Application Functionalities
The Code Review exercise commences with the security consultants (reviewers) being introduced to the application functionality by the code authors (developers). Here, the application is functionally demonstrated by the developers for the reviewers to glean an understanding of the application basics and the following important aspects:
- Input Vectors
- Output Vectors
- Critical Data Assets
This would assist the reviewers (in subsequent assessments) to identify any business logic security vulnerability that could exist in the application.
Detailed Code Walkthrough
Dive Into The Code Base & Explore Dependencies
In this phase, the reviewers are taken through the application code from a functional standpoint. It’s an important piece of assessment enabling the reviewers to perform reviews on the code base, leveraging the imparted knowledge of the dependencies between the various moving parts of the application.
Code Review
Specialists Scrutinizing The Code Integrity
Following strict protocols
Reviews are performed keeping in mind the expectations and the guidelines as set forth by the PCI- DSS v3.0, OWASP Top 10 2013, CERT – US Coding Guidelines, and the industry best coding practices for applications.
A significant process
The central and most critical phase of the assessment. Armed with the functionality and code knowledge, reviewers review the code-base for potential loopholes and/or vulnerabilities, exploitable by an external or internal attacker.
Threat Modeling
Mapping The Threats In The Steps Of STRIDE
In the code review, it’s important to identify the various threats (external or internal) to an application. The threat modeling exercise lists an exhaustive set of possible attacks that can be launched against the application. The exercise is conducted considering the acquired knowledge of the functionality and the profiling done earlier.
The threats are broadly classified under 6 major categories, as put forth by Microsoft’s STRIDE model.
- Spoofing
- Tampering
- Repudiation
- Information Leakage/Disclosure
- Denial of Service
- Elevation of Privileges
Note: A Threat Model is not based on the vulnerabilities of an application. It is based on attack scenarios that might be possible, given the lack of security controls in the application.
Code Analysis
Cementing The Code Review Results With A Deeper Dive
Under code analysis, reviewers go through the codebase, looking for possible security loopholes, through both manual and automated code review techniques.
The following specific areas of security are
inspected in detail:
inspected in detail:
- Authentication
- Authorization
- Cryptography
- Logging
- Data Input Validation and Output Encoding
- Error/ Exception Handling
- Session Management
Each hand-written code is inspected for the presence and/or absence of controls that could prevent the application from being exploited through one of the STRIDE based threats.
Automated scripts (written by the reviewers’ onsite) are run against the code-base to drill down and extract lines of code that contained specific expressions or usage of code snippets that could potentially pose a threat to the application.
The scripts are inspected manually to avoid instances of false-positives or justified usage. The code analysis is carried out to also inspect the application’s inherently present controls as a defense mechanism to the threats.
Analysis and Reporting
Outcome – In One Shot
The final phase of Code Review is the analysis and reporting of the various findings enumerated during the exercise. The entire set of findings are accumulated and rated based on the following parameters:
- Risk of the Vulnerability
- Probability of Occurrence
- Business Impact of Exploit
Based on the combination of these parameters and Risk Management metrics, the findings are categorized as High, and otherwise. The reporting also involves suggestions of appropriate remediation strategies to be incorporated in the applications.
