Secure Code Review

​​​​​​​​​​​​​​​​​​​​Secure Code Review​

The code review process consists of automated and manual code review by specialists focused on secure development. Source code analysis can also reveal hidden threats and potential weak spots in an application that would not be easily detected by ordinary penetration tests.​

 
 

​​

Our Story 

One of our foremost clients asked us to conduct penetration tests on a newly developed mobile app that manages users’ financial information. Since the application was developed by a supplier company, in addition to checking security, the client also asked us to verify compliance with the criteria that the application was designed to meet. 
During penetration testing, we uncovered several very serious authentication and authorization vulnerabilities that could allow an attacker to access the profile and financial information of all the product’s users. This highly critical data could be used by hackers, for instance, for phishing campaigns targeting users or directly in attacks on the institution. If this situation were to arise during actual operation, the company would be at risk of large financial losses, the associated loss of its client base and damage to its reputation. However, because penetration testing was carried out in time, before the app was published for real operation, this serious incident was avoided. 
What is more, the analysis of the design and the real state of the application pointed out some deviations from the agreed requirements, for example in the area of working with user documents, which is subject to the GDPR, which the supplier had not sufficiently secured in the app. So, in the contract’s framework, the client was able to negotiate fast, free fixes and thus increase their mobile app’s level of security.

The solution's description​

Secure development and source code review

Code review 

We check the security of the given source code in the form of manual and automated analysis and give customized recommendations for the application and technology. ​

Advanced white-box

We carry out comprehensive application security reviews by combining security code reviews, penetration testing and audits of the target applications.​

Checkmarx 

We help clients implement advanced solutions from Checkmarx for automated source code analysis (CxSAST), application composition analysis (CxSCA) and developer training (Codebashing).​

Training and consulting activities​

We provide secure development training in the process (SSDLC) and technical (secure web application development) areas.​

Code review 

  • Applications reviews in many popular languages (Java, C#, PHP, ...). 
  • An internal methodology based on experience from security development and penetration testing, leaning on recognized standards from the OWASP project. 
  • It can detect developer bugs, backdoors, design errors, not keeping to best practices, use of weak cryptography, and many other vulnerabilities in the application. 
  • Code review consists of two main analytical parts: 
      • An automated review of the entire code using open-source and proprietary tools and a review of the results by a security specialist. 
      • A manual review of the entire code or its sub-parts selected by the client or a security specialist.
  • The vulnerabilities uncovered are described in detail and customized recommendations are provided, which take into account the technology stack used.​

Advanced white-box

  • An advanced form of white-box testing.
  • A combination of penetration testing, code review and other optional disciplines. 
  • It achieves better quality and efficiency by joining the forces of ethical hackers with experts in secure development. 
  • It maximizes the benefits of multiple security disciplines.

Checkmarx 

  • CxSAST - a tool for automated static analysis of source codes that can be integrated into a wide range of technologies. 
  • CxSCA - a tool for analysing software composition that aims to find vulnerable software dependencies and licencing conflicts. 
  • ​Codebashing – a platform for educating developers in the area of writing secure code. 

​Training and consulting activities 

  • Technical and procedural training. 
  • Consultation in the area of secure development.

Why AEC?​

  • We are an established Czech security company that has been successfully operating on the market for over 30 years.
  • We listen to our clients and adapt our tests to their needs and the time they have available. 
  • Our team is made up of specialists with extensive experience in the area of development and ethical hacking. 
  • We follow modern trends in development, security and technology. 
  • When analysing source code, we put an emphasis on manual reviews that lead to the discovery of a greater number of errors than ordinary automated solutions. 
  • We allow comprehensive security audits to be made by combining several security disciplines. 
  • We build our services on many years of experience and tried and tested standards.

References 

  • Škoda Auto a.s. 
  • ​Czech National Bank 
  • NN Group 
  • Československá obchodná banka, a.s. 
  • KKCG 
  • ESSOX s. r. o. 
  • Moneta Money Bank

Contact Us​


Check: 

​​