Security Sourcecode Reviews
Security source code reviews can often identify additional vulnerabilities that do not show up in penetration tests.
Even within a security source code review, there are different granularities: From the classic standard "security source code review" to the "walk through" to the "deep inspection", there is in fact always the appropriate method for the source code to be examined.
It has also often proven useful to conduct a security source code review as a useful supplement to a penetration test.
Analysis and recommendations for action
In the case of web applications, for example, msg security advisors follow the OWASP Code Review Guide to check the configuration, look for known problematic patterns and analyze the code for its data flow. Vulnerabilities found are verified where possible, assessed and summarized in a report with appropriate recommendations for action.
The audit aspects include
- Identification of the programming language, framework and dependencies used
- Checking for outdated dependencies with known vulnerabilities
- Checking configuration for insecure defaults, settings, plain-text credentials, and PII (Personally Identifiable Information)
- Identification of authentication flows, authorization roles and authorization mechanisms
- Identification of all entry points for user input
- Review of all user inputs to code processing for their validation mechanisms
- Reviewing code for known problematic patterns, such as insecure deserialization of user-supplied data
- Review of code for use of weak/insufficient cryptography
- Checking the code for inconsistent error handling
