What is a code review?
A code review is aimed at making the software used in your organisation more secure. During this review, the source code and the configuration of the associated infrastructure are manually examined in detail by a security specialist, after which the vulnerabilities and risks can be charted.
Investigating source code for faults requires a different set of skills than is required for carrying out security tests. This is the reason why our hackers learn to write code during the course of their training, as well as expanding these skills through continuing to work in various different programming languages and frameworks. Combining these skills with their knowledge of security makes them extremely capable code auditors.
Heavy-duty: the code audit
A code review is a timeboxed activity: as much valuable feedback as possible will be given concerning the security of the investigated code base within the agreed period of time. However, when a more thorough answer is required, we carry out a Code Audit. During such an audit, all the lines of the code are investigated exhaustively for all known types of vulnerabilities.
What do we do during a code review?
- Comprehensive investiga-tion for greater certainty
- Adjustment of software development on the basis of security feedback
- Feedback on architectural and design choices
- Education of developers through recommenda-tions at code level
- Can be deployed as perio-dical thermometer check
During a code review we carry out a manual check, whereby we investigate the code and configuration line by line for vulnerabilities. When we uncover a possible vulnerability, we validate that finding in a test environment. Following this primary analysis, we then investigate the item further in order to determine if this signals a structural problem. It is important in a code audit to test and report in a structured manner, which is why we make use of specially developed checklists.
What do you get after a code review?
The code review is carried out according to a checklist of possible types of vulnerabilities. During a code audit, the security consultant ensures that they examine all these types of vulnerabilities in the whole code base, so that they are then able to provide substantive comments on every item. In a review, the number and depth of findings depend on the agreed-upon time frame. At the end of the review or audit, the report is discussed with the developers so that they have all the information they need in order to increase the security quality of the code base.