1-888-373-0680

IT Security. Risk Management. Business Intelligence.
Our Foundation, Your Advantage.
Home
Solutions
News and Events
Company
Risk Management
Application Security
Infrastructure Assessments
Technology Solutions

CSO Online

09/08/2010

Moving day: How to protect your company during a relocation

Whether you're moving to a new headquarters or opening a new location or store, you'll need to keep tabs on a wide variety of assets. Careful planning will secure your business and get you back up and running quickly.

Read More

09/08/2010

Mozilla fixes Firefox's DLL bug

Mozilla on Tuesday patched 15 vulnerabilities in Firefox, 11 of them labeled critical.

Read More

09/08/2010

Symantec: Hacking victims blame themselves

Just under two-thirds of all Internet users have been hit by some sort of cybercrime, and while most of them are angry about it, a surprisingly large percentage feel guilt too, according to a survey commissioned by Symantec.

Read More

09/07/2010

Enterprise risk management: Get started in six steps

Daunted by the ambition of enterprise risk management? Here's a straightforward exercise to get started delivering ERM's business value.

Read More

09/07/2010

Microsoft investigates two-year-old IE bug

Microsoft is looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users' data and Web-based accounts.

Read More

Application Security Code Review

Application security code review services offer line-by-line inspection of the application to determine any security flaws or backdoor that is left into the application. An application security code review is designed to highlight potential security vulnerabilities within the application based upon a defined application threat-model. It is intended to identify unsafe coding practices in areas, including but not limited to:

  • Authentication
  • Authorization
  • Session Management
  • Cryptography
  • Error Handling
  • Information Leakage
  • Data Validation and Language Specific Coding Issues

Our professionals are well versed in nearly all programming languages in use today, including: Java, C#, ASP, C / C++, Visual Basic, Perl, Python, TCL and assembly language on various platforms.



Our Approach

Our approach to Application Security Code Review typically involves the following steps:

  • Threat Modeling: High level threat model is designed with the coordination of development team which helps us understand the applications functionality and existing security threats. Risks identified in the Threat model tell us which code to look at first and deepest.
  • Automation: Use automated tools to assess the code for semantic and language security bugs and optimize the search for vulnerabilities like Cross Site Scripting (XSS), Injection flaws, File Canonicalization and other vulnerabilities that require extensive labour.
  • Manual Validation: Manual validation of significant issues is done and conducted in line-by-line inspection of the application code to find logical errors, insecure use of cryptography, insecure system configurations, and other known issues specific to the platform (e.g. buffer overflow etc.).

 

Typically our manual and tool-guided reviews will identify issues such as:

  • Poor enforcement of authentication and access control
  • Weak cryptographic algorithms and implementation
  • Insecure database access
  • Inadequate protection of data
  • Missing or weak security boundaries
  • Exploitable gaps in business logic
  • Poor resource management
  • Insufficient audit records
  • Vulnerability to well-known attacks such as: SQL injection, cross-site scripting (XSS), buffer overflows, and many others
  • Miscellaneous code quality and consistency issues
  • Non-compliance with organizational code development policies


What You Can Expect

  • Security Pros with Development/Engineering Background
  • Proven Methodology
  • Business Minded Approach
  • Excellent Reporting
  • Review and Explanation of all Discovered Findings
  • Realistic Recommendations for Remediation
  • Reduced Risk

 

Code Review White Paper

Download: Code Review White Paper.pdf (315Kb.)

© 2010 Aliado Accesso LLC