Secure Code Review & Analysis

Web applications are a core component for almost all companies. They are used for various reasons, and very often, capture, handle, store and transmit sensitive data (confidential business information, HR data, financial information, etc.).

The high value of the data accessed via web applications increases their value as a target, thus making regular assessments is highly recommended.

Our team uses a hybrid methodology, composed of automated and manual testing, to assess the source code of your Java, PHP, and .NET web applications to identify vulnerabilities before cybercriminals do.

Our services rely on highly skilled cyber security analysts and pen-testers with extensive experience, both in defense and offense.

What are we testing for during a Secure Code Review?

Our secure code review partially cover OWASP Top Ten vulnerabilities and CWE/SANS TOP 25 Most Dangerous Software Errors. The following is a non-inclusive list of items that will be checked:

Injection Flaws

Web-born threats such as SQL injection, OS Command Injection, and LDAP injection, which occur when user-supplied data is sent to a web application as part of a command or query. The attacker's malicious payload can trick the web application into executing unintended commands or accessing data without proper authorization.

Cross Site Scripting (XSS)

XSS vulnerabilities that occur when a web application accepts user supplied inputs in a web page without proper validation and escaping. Cross Site Scripting allows an attacker to execute scripts in the victim's browser, which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Broken Authentication

Authentication and session management are frequently designed incorrectly, allowing cybercriminals to compromise user credentials, keys, or session tokens, or to exploit other flaws to assume other users' identities.

Sensitive Data Exposure

Many web apps and APIs do not properly protect sensitive information, such as credit card numbers, user credentials, patient information, etc. Cybercriminals may steal or temper such weakly protected data to conduct credit card fraud, identity theft, or other crimes.

XML External Entities (XXE)

Numerous legacy or poorly configured XML parsers evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Broken Access Control

Restrictions on what authenticated users can do are often not properly enforced which can lead to horizontal and vertical privilege escalation vulnerabilities. Attackers can exploit these flaws to access unauthorized functionality and information, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

Our Secure Code Reviews can be complemented by a web application penetration test for an in-depth vulnerability detection.

What will you get?

All findings will be documented in a final report, and then compared with a strengths/weaknesses profile against international standards for IT & Cyber Security. The identified weaknesses will be assessed and supplemented with recommendations and remediation actions, as well as prioritized according to the risk associated. The final report will be discussed during a presentation with you. The report will include a comprehensive and meaningful C-level summary of the executed security audit or penetration test. Additionally, it will include all detailed results with respective evidence and recommendations for future security measures.