Source Code Security Vulnerability Assessment
Why We Do Source Code Vulnerability Assessments
The Source Code Security Vulnerability Assessment is intended to complement your internal software quality programs. It is a well defined process that analyzes a selected portion of your business application code for security problems. This process makes your networked-based application more secure and less vulnerable to determined intruder or hacking attacks.
It has two distinct parts:
- An on-site interactive review of the application design and implementation
- An off-site hands-on analysis of a selected portion of code
The duration of the analysis phase depends on your individual needs and can last from several days to several weeks. SystemExperts will work with you to make sure your company's needs are met.
Contact us to learn more and to request your own Source Code Security Vulnerability Assessment.
Remarkably Efficient Process
SystemExperts uses its signature Accelerated Assessment methodology to minimize the burden it places on your budget and resources: for example, we do not require our clients to prepare detailed documentation. Prior to the on-site sessions, we will need a small amount of your time on the phone to answer a handful of basic questions about the code and the functionality of the application
Based on the answers to those questions, we assign staff with programming language specific skills to the project. We also assign staff familiar with overall application architectures, design models, and development practices. Creating effective and secure business applications is not just about the technical details of coding in C(++), Java(script), XML, or whatever language is being used, it is about ensuring that the primary business objectives are implemented and supported by the entire application environment.
In all likelihood, we will not audit your entire code base. There is usually is no need to go over each and every line of your code to understand the security vulnerabilities of the application. By understanding your application design, we will identify the security-critical set of modules or functions and put those under the microscope.
How We'll Work Together
We will not be auditing you. Rather, together through a series of highly interactive discussions, we will openly explore the strengths and weaknesses of your entire environment in the context of your business, functional, and regulatory requirements.
The sessions are highly interactive, good natured, and mentally draining. What may surprise you to learn is that they are most often quite enjoyable. We'll bring a small team of consultants, typically two or three. We will choose them based on your particular technical needs (e.g., Windows, networking, databases, application infrastructure, PeopleSoft, ISO 17799 or Sarbanes Oxley compliance).
Following the on-site sessions, our team will spend an agreed upon amount of time off-site performing a detailed analysis of the selected code. Depending upon the amount of code to be reviewed, this process generally lasts one to three weeks. During that review, we will look for common security problems and issues such as unvalidated parameters, broken access control, broken account and session management, inappropriate state management, buffer overflows, error handling problems, and insecure use of cryptography. These types of issues are often the reason why Web based applications are subverted, providing access to back-end systems and data, or enable intruders to masquerade as other users.
Where does the Source Code Security Vulnerability Assessment fit into your process?
The typical business application is the result of a long and complex process: architecture, design, implementation, functional testing, quality assurance testing, production deployment, and maintenance. During the last ten years, we have seen the need for independent, unbiased code reviews increase significantly. The reason for this is that the time-to-market requirements in the fast paced Web world compress the development cycle. Security issues are often pushed to the side or expected to be remedied in later releases.
SystemExperts has the specific skills to identify security problems in your application code and the programming expertise to recommend practical remedies.
Contact SystemExperts for a consultation on our source code security vulnerability assessments today.