Home Company Security Assessment Training News & Events SC Labs Contact
Learn about our security assessment services
Learn about our
industry-leading application security training
Access our articles and white papers on application security topics

Application Source Code Security Review

Application Source Code Security Reviews are the ultimate tool for in-depth analysis of application security vulnerabilities. Security Compass consultants review source code in a variety of programming languages to uncover software security flaws at the source.

Overview

  • Discover application security vulnerabilities using static source code analysis
  • Deep understanding of application to discover risks posed by even the most knowledgeable insider
  • For the most comprehensive testing coverage, combine with Application Penetration Testing and Threat Modelling

Key Business Benefits

  • Decreased overall cost by identifying larger number of vulnerabilities
  • Understanding of risk posed by all attackers, including malicious insiders
  • Improved compliance with regulations and control frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), COBIT, ISO 27001 (formerly 17799), GLBA, etc.

Our Approach

Security Compass' approach to Application Source Code Security Review involves:

  • Threat Analysis—Incorporate the full threat analysis methodology
  • Cursory Review of Code—All reviewers gain a high-level understanding of code in order to be able to understand subsequent steps
  • Separation of Code—As with Threat Analysis, divide code into sections based on identification of pertinent security areas so that review work can be assigned to different individuals
  • Maintain Code Notes—Make notes on vulnerabilities and document each specific finding
  • Detailed Code Analysis—Search through code to identify security vulnerabilities. Identify and separate individual errors from systemic issues. Identify systemic issues separately and present recommendations in summary report.
  • Review for Language-Specific Issues—Look for known issues specific to the platform being reviewed (e.g. improper use of Java logger, buffer overflow conditions in C++, remote procedure calls communication etc.)

Deliverables

The end result of this activity is a report detailing the vulnerabilities discovered, where they were discovered, and how they can be remediated.

Security Compass also provides strategic analysis of vulnerability root causes, and both enterprise-wide and department/group-specific initiatives that can cost-effectively reduce vulnerabilities in the future.

Please refer to the Application Source Code Security Review Case Study for an example of our work.

Contact Us for More Information