As companies are increasingly relying on software to run their business, the number of attacks targeting these applications is rising.
An insecure web, mobile, IoT or desktop application could potentially allow an attacker to gain unauthorised access, compromise application functionality or steal sensitive user data – ultimately impacting your business not only in lost revenue, fines and legal sanctions but also through reputational damage and lost trust with customers.
Verifying a code prior to its release can significantly help to cut down on time and resources that it would otherwise take if vulnerabilities were found after the code has been deployed. Implementing source code reviews alongside secure coding best practices as part of your development process is therefore important to provide assurance around your applications‘ security.
Our experience in conducting source code review
Context are experts in software security and secure engineering, providing source code security assessments and development assurance for some of the world’s largest organisations.
Our expert consultants possess a blend of experience in software development, penetration testing and secure coding practices, allowing us to confidently deliver high-quality code review assessments.
This is evidenced by the work of Context’s independent vulnerability research department, which has identified and published security weaknesses in high profile code bases including the Linux kernel, Android, Java, Microsoft .NET and modern web browsers including Mozilla Firefox, Edge and Chrome.
Key benefits of Context’s source code review services
We can:
- Review new or existing code bases to identify security issues before release or deployment, to maintain reliability, brand reputation and consumer confidence.
- Work with your organisation to provide code review as part of your secure SDLC (Software Development Life Cycle).
- Review product source code to provide quality assurance, as part of a due diligence process during mergers and acquisitions.
- Provide guidance and ongoing assurance on secure and defensive development processes and design.
Development Assurance Approach
Context can provide detailed advice on every aspect of the software development process, from design to release, providing clients with actionable measures to increase the overall security of the deployment, build process and source code.
Source Code Review Approaches
Context are able to deliver source code review services for web, mobile, desktop and IoT applications using the following approaches:
Static Analysis
A purely static approach to code review can be taken where an executable version of the software cannot be provided, which may be useful where disclosure of the entire code base is not desirable or only one component of an overall solution requires review.
The following techniques can be employed during static analysis, based on customer requirements:
- Manual source code review
Our experts are able to manually identify security vulnerabilities within source code that an automated tool would often miss. Such vulnerabilities typically exist within critical functionality, including business logic, encryption, network communications and access controls.
- Automated source code review
A fully automated approach can ensure breadth of coverage in the identification of some of the most commonly found vulnerabilities, using industry recognised commercial code-scanning and Context’s custom tools.
- Blended
By combining manual and automated approaches the review can provide both breadth and depth of coverage.
- Focussed/ Bespoke
Targeted review can focus on specific areas of the code base, typically those that provide security related, network or complex functionality.
Dynamic Analysis
Dynamic techniques can additionally be used to provide efficiencies within the mapping of complex code paths. In addition, it can help reduce false positive findings as a Context security expert can verify the issue against a running copy of the software.