Overview

A security source code review assesses the security of an application by examining source code. COE Security's code review methodology assesses the people, the processes, and the technologies in each application. By evaluating each layer of the application, the development process, and the developers themselves, Stratum Security can identify critical flaws, can determine the root cause of such flaws, and can construct cost-effective recommendations for remediation.

Key Benefits

Our source code analysis services leverage industry leading automated source code scanning tools with seasoned security professional expertise to thoroughly assess the quality and security of virtually any existing code base. During source code analysis reviews, our consultants provide in-depth analysis on proper mitigating techniques essential for timely, accurate and cost-effective remediation. Our assessors are also prepared to consult on topics regarding proper System Development Lifecycle (SDLC) adherence, change management procedures and other best practices paramount for a secure and efficient development team.

Methodology

• Identify the root cause of software security vulnerabilities in both source code and running applications Detect more than 470 types of vulnerabilities across 18 development languages and more than 600,000 APIs
• Fix your most important security issues faster with collaborative remediation
• Contain existing vulnerabilities in deployed software so they can do no harm
• Govern the process for ensuring the security of the software you depend on
• Stay ahead of threats by leveraging the industry's only team dedicated to providing continuing research on application security issues and threats
• Comply with government and industry compliance mandates and internal policies such as Payment Card Industry Data Security Standards (PCI DSS), the Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and North American Electric Reliability Corporation (NERC) standards

Supports the various programming languages but not limited to the following:
• ASP.NET, VB.NET, C# (.NET)
• Classic ASP (with VBScript)
• COBOL
• Java
• JavaScript/AJAX
• JSP
• PHP
• PL/SQL
• Visual Basic
• VBScript
• XML
• HTTP

Detailed assessment of the following components within the Source Code:

• Secure Software Design - Secure Software Development Lifecycle
• Data Protection in Storage and Transit – Using Cryptography, Random Number Generator, Key Management
• Authentication and Authorization – Secure Authentication, Protocols, Access Control, Models
• Secure User and Session Management - Secure Session, Password Storage, Handing Password Resets
• Client Side Security – Client Side Security Controls, Code Obfuscation, Anti Tampering Measures
• Data Validation Strategies – Trust Boundaries, Data Validation Design, Common Data Validation Attacks
• Error Handling and Exception Management – Security Impact, Structured Exception Handling, Failing Securely, Designing Error Messages
• Secure Auditing and Logging – Error logging, Exception logging, Security Alerts