Dynamic and Static Code Analysis and Review
Application source code review is an essential part of White Box penetration tests. A source code review is the most comprehensive and reliable way to discover and eliminate various vulnerabilities in your application, whether it's a simple web application or complex data management software. High-Tech Bridge’s security engineers' experience allows us to perform source code review on a wide range of programming languages, such as PHP, ASP, Visual Basic, Java, C/C++, Objective-C, C#, Perl, Python, Ruby and even assembly code.
Sometimes it is difficult to discover vulnerability or weakness in applications without a thorough source code review. Such vulnerabilities are often discovered by hackers, who use them to compromise up-to-date systems even when the most recent patches have been installed.
A source code review is also the best way to detect intentional or accidental backdoors and logic bombs in applications that you acquire from third-parties or develop in-house. Certain security standards (such as PCI DSS) demand that a source code review is conducted prior to production usage of software to identify potential coding vulnerabilities.
Source code reviews are an essential part of Static Application Security Testing (SAST) which, unlike the Dynamic Application Security Testing (DAST), requires thorough examination of each line of the application code to detect complex errors and programming mistakes. Gartner recommends the use of both approaches to achieve the highest level of security. At High-Tech Bridge, we always try to combine SAST and DAST software testing techniques to deliver the most in-depth testing for each of our customers.
We achieve the highest quality of source code review by leveraging automated tools (such as CodeScout, CodeAssure, FlawFinde, RATS, FindBugs, FxCop, PMD, SWAAT, RIPS, Brakeman, VCG and others) with in-depth manual analysis of code by our security auditors. All possible aspects of application security are tested, including:
- Insufficient filtration of user-supplied data
- Improper memory management and buffer boundary checks
- Application logic flaws and race conditions
- Authentication and authorization bypass
- Usage of unsafe methods and functions
- Sensitive information disclosure
During source code reviews of web applications, web-specific vulnerabilities such as Cross-Site Scripting, SQL Injection, Cross-Site Request Forgery, Arbitrary Code Injection and XML Injection are detected.
Upon completion of the source code review you will receive a report with detailed information covering all of the vulnerabilities and weaknesses discovered, with tailored recommendations on how to fix them, accompanied by general recommendations on the source code structure and style.