Secure Code Review
Secure Code Review
A Secure Code Review is the human-led examination of software’s source code in order to identify security vulnerabilities that are the result of design flaws, but proven to be valid security issues. It is an important part of any organization’s software development life cycle (SDLC) and helps improve the overall quality and security of the software and an organization’s overall security posture.
Secure code reviews are a specialized type of engagement that is not included in our standard penetration testing as a service (PtaaS) offering. This service is delivered by our Cybersecurity Services team.
Feature | Description |
---|---|
Fulfilled by | Cybersecurity Services |
Number of credits | Starting from 8 credits*, minimum of 4 days of effort |
Number of testers | Dependent on scope |
Collaboration | Slack |
Retesting | Yes - according to your credit tier |
Earliest start date | Earliest start date will be based on availability. Typical start dates of 3-5 business dates once test is submitted to In Review |
Test duration | Typically between 8 - 20 days, depending on the scope. The exact duration will be finalized once moved to Planned. |
Report due date | 5 business days after the test end date. |
Kick off call | Available upon request |
Debrief call | Available upon request |
*dependent upon organization’s credit price
Methodology Details
At Cobalt, we follow OWASP Secure Coding Guidelines when it comes to Secure Code Review. Cobalt’s Secure Code Review is a systematic examination of source code. During the secure code review, Cobalt will take into consideration the risk the code presents, the purpose and context of code, the count of lines of code, and the programming language(s) used.
Here are some steps that can be included in a secure code review:
- Analyze the software composition: Inventory open-source components and flag potential issues using software composition analysis (SCA) tools.
- Perform Static Application Security Testing: Execute an automated SAST tool to identify common vulnerabilities.
- Manually validate the automated findings: Review and evaluate automated results to identify and validate true issues within critical functionality. Note: Some finding classes - such as code injection - cannot be validated without active engagement of the running application.
- Manually review business logic.
- Provide recommendations on reasonable mitigations that could address discovered issues or suggested code changes or upgrade paths to fix findings (when applicable).
Note
The tools that our pentesters use during each phase may vary from test to test.Software Composition Analysis
During Software Composition Analysis (SCA), Cobalt analyzes open-source and third-party components for known vulnerabilities.
The six phases for SCA are:
- Identification of Components
- Vulnerability Detection
- License Compliance
- Version Analysis
- Risk Assessment
- Remediation Guidance
Tools
Cobalt pentesters may use Software Composition Analysis tools such as:
- Semgrep Pro
- OWASP Dependency-Check
- Snyk Open Source
- Trivy
- Sonatype
- Jfrog Xray
Static Application Security Testing
Cobalt leverages Static Application Security Testing (SAST) tools when performing secure code reviews which aids in the manual efforts when searching for patterns in large codebases. A benefit for using SAST tools is that it helps identify all instances of the vulnerability in the application. Some common findings found with a SAST tool are:
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Insecure cryptographic storage
- Insecure communications
- Buffer overflows
- Authorization flaws
Tools
Cobalt pentesters may use Static Application Security Testing tools such as:
- Semgrep Pro
- Bearer
- Checkmarx
- Fortify
- Snyk
- SonarQube
- Veracode
Manual Review of Business Logic
Performing manual secure code review is essential for discovering business logic flaws and to verify the results of the SAST tools. Below are some examples of the areas of focus during a manual Secure Code Review.
- Input Validation
- Output Encoding
- Authentication and Password Management
- Session Management
- Access Control
- Cryptographic Practices
- Error Handling and Logging
- Data Protection
- Communication Security
- System Configuration
- Database Security
- File Management
- Memory Management
- General Coding Practices