Code Review

Strengthen Your Software Security with Comprehensive Code Review

A key driving force behind most software (commercial or in-house developed) is time to market (or production lead time). This time pressure tends to contribute to a situation where code is rarely vetted for security.

System protections that are embedded on the most recent coding languages/frameworks alongside the use of secure coding practices limit the exposure to code flaws, but the assumption should still be that all software may harbour a security flaw.

During a source code security review, our experts inspect the source code of your new or existing application for security weakness or insecure coding practices. This service focuses on key elements of the coding structure such as authentication processes, data validation and session management.

The existence of design level flaws presents a high risk to applications. Such flaws are hard to find in static or dynamic application scans and instead require a deep understanding of application architecture and layout to uncover them manually. Design level security is crucial and must be adopted at an early stage of an application’s development in order to ensure a robust system.

 
How can Vittoba Help :

Vittoba can review the source code to validate its security and alignment with secure coding best practices such as those from OWASP, CWE and SANS. Our specialists will identify insecure code, provide a recommendation for change including a perspective with “real risks” for the organizations. Our focus will be on identifying known vulnerabilities and to ensure that countermeasures and security controls have been implemented. We will also ensure that the developers are following secure development methodologies and technics.

Key Activities Include :
  • Leveraging the Threat Assessment, System Security Plan, Vulnerability Assessment, or AutomatedCode Analysis to understand which portions of the code should be manually reviewed;
  • Conducting a security code walkthrough with the developers wherein the source code is peer reviewed with an emphasis on the construct and design logic responsible for achieving relevant security objectives; and,
  • Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.