Code Review

Research has shown that fixing security problems early in the development cycle is more efficient and more cost effective than the traditional penetrate-and-patch model. NopSec application security consultants use rigorous and efficient source code inspection to identify detrimental software security problems at the onset of the development cycle.

The code review service provided by NopSec allows to detect all existing vulnerabilities in applications. Be them Web applications, Network Services or client/server applications, the code review process allows to identify vulnerabilities that are hardly detectable with any other methodology such as, for instance, black-box Web Application Penetration Testing.

We use commercial inspection tools to help us automate the process, and NopSec experts manually validate every issue and inspect code to overcome the limitations of automated tools and techniques that are ineffective. Our application security consultants find policy or best practice violations such as inappropriate cryptography algorithms and common semantic language constructs that lead to vulnerabilities.

We have expertise in C, C++, C#, Java™, CFML, and PHP working within development frameworks such as J2EE and the .NET framework; developing on Win32 and UNIX platforms and an advanced knowledge on computer information security, which will make the code review be detailed and effective.

Common vulnerabilities identified during a Code Review include:

• SQL Injection
• Cross-Site Scripting (XSS)
• Authentication Bypass
• Application Logic Flaws
• Buffer Overflows
• Format strings
• Resource exhaustation (DoS)
• Insecure cryptographic algorithms and implementations

Our Code Review consultants have all worked as development practitioners on commercial enterprise software systems and understand the software development process as well as why and how security bugs are introduced. Our experience combined with advanced automated tools using contextual analysis enable us to look at more code faster, more accurately, and more effectively than other security consulting services.

When examining any sizeable application, we start by building a threat model in conjunction with the development team. This threat model helps us understand the applications functionality, technical design, and existing security threats and countermeasures. Threat models help us manage the size of the code base we need to examine down to a much smaller scope (typically 40 percent of the code).

Armed with the threat model and a complete understanding of the applications architecture we use automated tools to assess the code for semantic and language security bugs. In general, we are looking for two types of issues: design flaws and implementation bugs. Design flaws include poor design ideas that have been implemented, such as choosing an inappropriate source of randomness for cryptographic key generation. Implementation bugs are typically syntactical or semantic language constructs that lead to security vulnerabilities.

Vulnerability Remediation

In most cases fixing a Web Application vulnerability is a complex procedure and that is why most development teams lack the time or resources to fix them. Understanding our customer’s needs, NopSec offers a professional consulting service aimed at helping developers fix the vulnerabilities identified during the Code Review service.

Deliverables

Our deliverables include the following:

• Technical report
• Executive summary
• Strategic recommendations
• Optional vulnerability Remediation and Code Fixes

Our detailed reports provide specific vulnerability information including line, file locations, the issue itself, and suggested solutions. We also provide an overview, including statistics for code sections such as the number of vulnerabilities density in specific areas (per 1,000 lines of code) and suggested strategic remediation such as the creation of re-useable components or security libraries.