Security Code Review
VSR code review services identify programming flaws that can make your applications vulnerable to attack and exploitation. An application security code review is designed to highlight potential security vulnerabilities within the application based upon a defined application threat-model. It is intended to identify unsafe coding practices in areas, including but not limited to: authentication, authorization, session management, cryptography, error handling, information leakage, data validation and language specific coding issues. VSR is well versed in nearly all programming languages in use today, including: Java, C#, ASP, C / C++, Visual Basic, Perl, Python, TCL and assembly language on various platforms.
Our security professionals perform both manual and tool-guided reviews of application code to identify issues such as:
- Poor enforcement of authentication and access control
- Weak cryptographic algorithms and implementation
- Insecure database access
- Inadequate protection of data
- Missing or weak security boundaries
- Exploitable gaps in business logic
- Poor resource management
- Insufficient audit records
- Vulnerability to well-known attacks such as: SQL injection, cross-site scripting (XSS), buffer overflows, and many others
- Miscellaneous code quality and consistency issues
- Non-compliance with organizational code development policies
To provide more rapid and cost effective reviews, VSR will often develop a high-level threat model to identify areas of increased exposure, such as an application's entry points and areas which act as application security controls. In other instances VSR may also perform full source code reviews to ensure complete coverage, identifying each instance of specific types of vulnerabilities. Resulting documentation and knowledge transfer provides developers with recommendations and code samples necessary to remedy vulnerabilities in ways that are closely aligned with industry best practices.
VSR offers several types of code reviews dependent primarily upon client objectives. We work with our clients to identify the code review solution that best meets business objectives. VSR offers the following types of application security code reviews:
- Full manual code review
- Manual review of security critical application components
- Hybrid assessment consisting of automated and manual code review
- Fully automated code review and integration within build environments
VSR provides recommendations to develop secure applications based on the best practices of our clients and the professional skills of our experts.