An insecure web, mobile, IoT or desktop application could potentially allow an attacker to gain unauthorised access, compromise application functionality or steal sensitive user data – ultimately impacting your business not only in lost revenue, fines and legal sanctions but also through reputational damage and lost trust with customers.
A code review can verify the security of your application source code and find security flaws that may have been overlooked in the inital development phase and could leave your application vulnerable to attack.
Verifying a code prior to its release can significantly help to cut down on time and resources that it would otherwise take if vulnerabilities were found after the code has been deployed. Implementing source code reviews alongside secure coding practices as part of your development process is therefore important to provide assurance around your applications‘ security.
Why Context?
Context are experts in software security and secure engineering, providing source code security assessments and development assurance for some of the world’s largest organisations.
Our expert consultants possess a blend of experience in software development, penetration testing and secure coding practices, allowing us to confidently deliver high-quality code review assessments.
This is evidenced by the work of Context’s independent vulnerability research department, which has identified and published security weaknesses in high profile code bases including the Linux kernel, Android, Java, Microsoft .NET and modern web browsers including Mozilla Firefox, Edge and Chrome.
How we can help:
- Review new or existing code bases to identify security issues before release or deployment, to maintain reliability, brand reputation and consumer confidence.
- Work with your organisation to provide code review as part of your secure SDLC (Software Development Life Cycle).
- Review product source code to provide quality assurance, as part of a due diligence process during mergers and acquisitions.
- Provide guidance and ongoing assurance on secure and defensive development processes and design.
Development Assurance Approach
Context can provide detailed advice on every aspect of the software development process, from design to release, providing clients with actionable measures to increase the overall security of the deployment, build process and source code.
Source Code Review Approaches
Context are able to deliver source code review services for web, mobile, desktop and IoT applications using the following approaches:
Static Analysis
A purely static approach to code review can be taken where an executable version of the software cannot be provided, which may be useful where disclosure of the entire code base is not desirable or only one component of an overall solution requires review.
The following techniques can be employed during static analysis, based on customer requirements:
- Manual
Our experts are able to manually identify security vulnerabilities within source code that an automated tool would often miss. Such vulnerabilities typically exist within critical functionality, including business logic, encryption, network communications and access controls. - Automated
A fully automated approach can ensure breadth of coverage in the identification of some of the most commonly found vulnerabilities, using industry recognised commercial code-scanning and Context’s custom tools. - Blended
By combining manual and automated approaches the review can provide both breadth and depth of coverage. - Focussed/ Bespoke
Targeted review can focus on specific areas of the code base, typically those that provide security related, network or complex functionality.
Dynamic Analysis
Dynamic techniques can additionally be used to provide efficiencies within the mapping of complex code paths. In addition, it can help reduce false positive findings as a Context security expert can verify the issue against a running copy of the software.
Upon completion of a review, we will provide a detailed report that includes the risk associated with each vulnerability found and recommendations for remedial actions.
