Secure Code Review

Code review is a methodical examination of an application’s source code with the goal of identifying security risks resulting from programming errors, non-compliance with standards, or the intentional insertion of backdoors. It primarily focuses on identifying vulnerabilities in control structures, user input validation, error handling, file manipulation, and function input parameters.

Objectives

The purpose of a security code review is to identify and eliminate programming mistakes that could lead to vulnerabilities in the resulting application.

Typical issues that pose risks are found in user input validation and processing, as well as in missing defensive mechanisms against known types of attacks (e.g., brute-force, CSRF, DoS).

Procedure

The code review process includes several steps, such as:

• Automated static code analysis using tools like SonarQube, aimed at identifying problematic code segments that may indicate errors.

• After the initial automated scan, we perform a manual code review to eliminate false positives identified by the tool and confirm the truly significant issues.

• Special attention (regardless of SonarQube results) is always given to handling of all expected user inputs in the assessed application. We evaluate not only whether the application’s input checks are implemented correctly, but also whether protections against known attack types (such as CSRF or XSS) are in place. This includes assessing the application’s resilience to forged input.

• We apply our unique expertise, acquired over decades of penetration testing, which includes knowledge of numerous, sometimes very unusual attack techniques (e.g., exploiting timing variations in similar query structures), to which an application may be sensitive.

• Our know-how is not limited to any automated tools, which enables us to identify issues that may go undetected by automated scanners.

All findings, along with proposed code modifications, are included in the final report.

Other Types of Testing

In addition to the tests described above, we also provide our clients with various other types of penetration testing – see Penetration Testing Overview.