Source Code Review Services
What is source code review?
Also known as security code review it is the process of strategic auditing of the entire source code of web, mobile and thick-lined applications (An application which runs on a user’s machine) and verifies if and whether proper security controls are present and in turn, work as intended.
When is source code review incorporated?
A source code review for your application is advised to be incorporated into the development life cycle at a very early stage, hence reducing the cost and time it takes developers and security analysts to remediate applications flaws and security bugs.
Types of source code review:
- Manual source code review- Our security experts will manually go through every line of your application.
- Automated source code review- Our security experts will use licensed tools and assess your application.
- Hybrid source code review- Our security experts will assess your application by manually going through each and every line of your application as well as using licenced tools to review your source code for maximum coverage.
Typical source code review testing engagement flowchart:
Manual Source Code Review Datasheet
The Rootfloe Source code review security will consist of a manual review of the overall code within the application which will include the following:
- Architecture and design review of the code with recommendations for improvements.
- Analysis of data boundary identifying vulnerabilities
- Identifying the code for the level of trust, weather if any untrusted data source or communication code channels if present.
- Verify and validate the use of security protocols.
- Apply and verify existing cipher's to sensitive data including the storage and transmission.
- 100% coverage of horizontal complete code with cross-cutting concerns for code quality analysis.
- 100% coverage of vertical complete code of transaction flows for code quality analysis.
Rootfloe source review Methodology
Rootfloe source review will cover 100% of the source code of the software manually. This method of auditing/reviewing the source code for the application will validate the following effects which will include the security control, the logic of the source code, the functionally of the source code and verify whether it has implemented an effective use of the language used to build the application. And specifically will review the security, language and architecture of the code used.
The Methodology Consist of five phases:
In this phase, Rootfloe examines and validates the basic structure and solution organizations of the source code.
During this phase, the following will be probed:
- File/ folder structure examination of the source code.
- Security Organization
- Verifying any intermingling of publicly, privately sensitive files.
- Verifying the authenticity of keys and certificates.
- Functional Organization
- Examination of code, configuration, development Vs. deployment and support of static content.
- Examination of solution-centric Vs. Component-centric.
- Verification of scalability factor
- Checking scalability against single-server solution Vs. data centre solutions.
- Verification of synchronization vulnerabilities due do scalability.
In this phase, Rootfloe will distinguish the number of pages within the application using crawling tools.
The following check will be undertaken:
- Foreign Value Checks
- Consisting of Method/Function ,parameters,Return Values.
- Grouping similar functionality with units with marked boundaries of the source code.
- Identifying the level of interaction of source code between /across unit boundaries.
- Application Level Communication protocol
- Verification and Validity of handshakes between Client/Server.
- Validating the solution domain topology
- Verification of systems, subsystems, modules and units are hierarchically divided.
In this phase, Rootfloe will review the language and logic to validate if they are written to the highest set standard including reviewing ineffective and insecure code.
- Consistency Type
- Convention Naming
- Ability to read the code
- Commenting on levels
- Depth Nesting
- Validating logic patterns Eg,.if (x==null) return true ;else return false ;vs.return x==null;
- Valadiating programming functionally like arrow functions ,lambdas ,LINQ and templated classes.
- Validating scope specifiers like private, public, protected and internal for:
- Identifying unmanaged objects/resources.
- String Handling.
- Identifying cut/paste/tweak of code snippets.
In this phase, Rootfloe will identify and verify the data flows and business logic of the source code of the said application.
- Will identify and verify the inbound /outbound paths including route handlers. Ie,.Client and server-side.
- Will undertake materialization, validation, verification, transfer, transformation and persistence of the available data units and validate and verify the different methods used for handling security risk.
- Verifying and informing the validity of business logic for vulnerabilities for maintenance.
In this phase, Rootfle will report the documented results and respond to the queries form the client-side.
Complete Source Code Review service deliverables will be a detailed report with sections tailored for different audiences.
- Executive Summary
- This section contains a summary of the number of issues identified and critical action items with the suggestion that needs to be assigned for fixing.
- Architecture Review
- This section will outline the structural findings and suggest feedback regarding the comprehensive structure of the source code.
- Detailed Findings
- This section will contain detailed findings from the review conducted in reference to the source code lines, files, number of lines to provide a fine-grained reference for developers to identify and remediate the findings.
- Findings will include a detailed description of issues found, why it is identified as an issue with steps of improvement.
- Recommend steps to fix the identified gaps.
- This section of the report will contain information gathered by the code reviewer which might include a suggestion on improving the quality of the code and any other suggestion he might want to convey to the technical team.
- Detailed information and evidence that has been used for reference.
Benefits of source code review
- Improve your overall application security, feel and features. Its is considered the first thing to do to improve code quality and software quality.
- Fix bugs early when they are cheap to fix which will reduce overall project time and cost.
- Consistent design and implementation which produces higher-quality software.
- Adherence to coding standards/conventions.
- Ability to comply with internal audits, ISO audits including various industry certifications.
- Will build the confidence of stakeholders.
Industries we support
Construction & Real Estate
Consumer, Entertainment, Retail
Education & Nonprofit
Healthcare & Life Sciences
Manufacturing & Distribution
Technology & Software
What We Offer
Information Security Services
Complete Security Configuration
We provide detailed analysis and verification of the configuration settings of your IT infrastructure to detect vulnerabilities and report on fixes to be implemented.
Ready to see how RootFloe can help?
Need a hand with your security program? Let our cyber security experts help.