Security source code reviews involves analysing source code line by line to identify potential security vulnerabilities. Enigma recomend that the manual process be supported by automated tools such as: automated code analyser tools (open source, our custom tools and commercial products) which analyse the source to detect known issues.
Information about any vulnerabilities are documented and aggregated and presented to IT managers and developers to help those professionals make strategic conclusions and prioritize related remediation efforts. In addition our consultants can demonstrate how to resolve the issue through the use of input validation functions or sanitization routines.
The code review assessment can be applied to any programming language, whether it is for a web application or a standalone binary application. In the case of a web application, the vulnerabilities our team is looking for are the same as with a Web Application Assessment. Below is a list of the most common issues our team members encounter: General Insecurities
- Authorisation issues
- Buffer Overruns and overflows
- Cross-Site Request Forgery
- Data Validation
- Error handeling
- Logging issues
- OS Injection
- Race Conditions
- Session Integrity Issues
- SQL Injection
- Injection Flaws LDAP, XPATH, Commands, XSS
- Weak password controls/change password