Source Code Review

What is Source Code Review and why is it important?

Source code review is a process of thoroughly examining the source code of a software application to identify any potential security vulnerabilities or weaknesses. It involves a deep understanding of the programming language used, and how the code interacts with other parts of the system. This examination is performed by our experienced security experts who have the technical knowledge and experience to identify issues and potential risks.

The purpose of source code review is to ensure that the code meets security standards and is free from vulnerabilities that could be exploited by attackers. This is important because fixing security flaws early in the development process is much more cost-effective and efficient than fixing them after the application has been deployed. In addition, code review helps to prevent the same mistakes from being made in future developments and ensures that applications are secure from the ground up.

Source Code Review Methodology we use:

Identification of entry and exit points:

Identifying entry points and exit points to see where a potential attacker could interact with the application, identifying assets i.e. items/areas that the attacker would be interested in, and identifying trust levels that represent the access rights that the application will grant to external entities.

Transactions Analysis

It consists of the analysis of applications’ functions to assert the presence of security controls that protect the confidentiality, integrity, availability, and accountability of these functions. Below are the steps in this phase:

• Static code Analysis
• Manual Review
• Coding standards

Issue Identification and Risk rating

The first step is to identify a security risk that needs to be rated. Our team will gather information about the threat vector involved, the attack that will be used, the vulnerability involved in the code, and the impact of a successful exploit on the business. There may be multiple possible groups of attackers or even multiple possible business impacts. In general, it’s best to have mistakes on the side of caution by using the worst-case option, as that will result in the highest overall risk. The risk rating is calculating the overall severity of the risk. This is done by figuring out whether the likelihood is low, medium, or high and then doing the same for impact.

If you are sourcing your source code on GitHub or Gitlab, the tools and techniques we use will consist of specific tools that will go through your commits from the first branch. Often times developers could leave hard-coded credentials, secret keys, and API keys to various services that would result in a full takeover of your source code. We take a look at the details studying your code and trying to assess what sensitive information can be extracted and used to compromise your data, or your complete infrastructure depending on what is found deep within your javascript, JSON, and code.

So what is Reverse Engineering of Mobile Applications?

Software reverse engineering is the process of analyzing a software system to extract the design and implementation details. Reverse engineering provides the source code of an application, the insight view of the architecture, and the third-party dependencies. From a security perspective, it is mostly used for finding vulnerabilities and attacking or cracking an application. The process is carried out either by obtaining the code in plaintext or reading it through binaries or mnemonics. Nowadays, reverse engineering is widely used for mobile applications and is considered a security risk. The Open Web Application Security Project (OWASP), a leading security research forum, has included reverse engineering in its top 10 list of mobile application vulnerabilities.

Mobile applications are used in many sectors, e.g., banking, education, and health. In particular, banking applications are critical in terms of security as they are used for financial transactions. A security breach of such applications can result in huge financial losses for the customers as well as the banks. There exist various tools for reverse engineering mobile applications, however, they have deficiencies, e.g., complex configurations, lack of detailed analysis reports

What do you achieve by performing this?

Code review aims to identify security flaws in the application related to its features and design, along with the exact root causes. With the increasing complexity of applications and the advent of new technologies, the traditional way of testing may fail to detect all the security flaws present in the applications. One must understand the code of the application, external components, and configurations to have a better chance of finding the flaws. Such a deep dive into the application code also helps in determining the exact mitigation techniques that can be used to avert security flaws.

Tools can be used to perform this task but they always need human verification. They do not understand context, which is the keystone of security code review. Tools are good at assessing large amounts of code and pointing out possible issues, but a person needs to verify every result to determine if it is a real issue if it is actually exploitable, and calculate the risk to the enterprise. Human reviewers are also necessary to fill in for the significant blind spots, which automated tools, simply cannot check.