Source Code Review Services
What is source code review?
Also known as security code review it is the process of strategic auditing of the entire source code of web, mobile and thick-lined applications (An application which runs on a user’s machine) and verifies if and whether proper security controls are present and in turn, work as intended.
When is source code review incorporated?
A source code review for your application is advised to be incorporated into the development life cycle at a very early stage, hence reducing the cost and time it takes developers and security analysts to remediate applications flaws and security bugs.
Types of source code review:
- Manual source code review- Our security experts will manually go through every line of your application.
- Automated source code review- Our security experts will use licensed tools and assess your application.
- Hybrid source code review- Our security experts will assess your application by manually going through each and every line of your application as well as using licenced tools to review your source code for maximum coverage.
Typical source code review testing engagement flowchart:
Manual Source Code Review Datasheet
The Rootfloe Source code review security will consist of a manual review of the overall code within the application which will include the following:
- Architecture and design review of the code with recommendations for improvements.
- Analysis of data boundary identifying vulnerabilities
- Identifying the code for the level of trust, weather if any untrusted data source or communication code channels if present.
- Verify and validate the use of security protocols.
- Apply and verify existing cipher's to sensitive data including the storage and transmission.
- 100% coverage of horizontal complete code with cross-cutting concerns for code quality analysis.
- 100% coverage of vertical complete code of transaction flows for code quality analysis.
Rootfloe source review Methodology
Rootfloe source review will cover 100% of the source code of the software manually. This method of auditing/reviewing the source code for the application will validate the following effects which will include the security control, the logic of the source code, the functionally of the source code and verify whether it has implemented an effective use of the language used to build the application. And specifically will review the security, language and architecture of the code used.
The Methodology Consist of five phases:
In this phase, Rootfloe examines and validates the basic structure and solution organizations of the source code.
During this phase, the following will be probed:
- File/ folder structure examination of the source code.
- Security Organization
- Verifying any intermingling of publicly, privately sensitive files.
- Verifying the authenticity of keys and certificates.
- Functional Organization
- Examination of code, configuration, development Vs. deployment and support of static content.
- Examination of solution-centric Vs. Component-centric.
- Verification of scalability factor
- Checking scalability against single-server solution Vs. data centre solutions.
- Verification of synchronization vulnerabilities due do scalability.
In this phase, Rootfloe will distinguish the number of pages within the application using crawling tools.
The following check will be undertaken:
- Foreign Value Checks
- Consisting of Method/Function ,parameters,Return Values.
- Grouping similar functionality with units with marked boundaries of the source code.
- Identifying the level of interaction of source code between /across unit boundaries.
- Application Level Communication protocol
- Verification and Validity of handshakes between Client/Server.
- Validating the solution domain topology
- Verification of systems, subsystems, modules and units are hierarchically divided.
In this phase, Rootfloe will review the language and logic to validate if they are written to the highest set standard including reviewing ineffective and insecure code.
- Consistency Type
- Convention Naming
- Ability to read the code
- Commenting on levels
- Depth Nesting
- Validating logic patterns Eg,.if (x==null) return true ;else return false ;vs.return x==null;
- Valadiating programming functionally like arrow functions ,lambdas ,LINQ and templated classes.
- Validating scope specifiers like private, public, protected and internal for:
- Identifying unmanaged objects/resources.
- String Handling.
- Identifying cut/paste/tweak of code snippets.
In this phase, Rootfloe will identify and verify the data flows and business logic of the source code of the said application.
- Will identify and verify the inbound /outbound paths including route handlers. Ie,.Client and server-side.
- Will undertake materialization, validation, verification, transfer, transformation and persistence of the available data units and validate and verify the different methods used for handling security risk.
- Verifying and informing the validity of business logic for vulnerabilities for maintenance.
In this phase, Rootfle will report the documented results and respond to the queries form the client-side.
Complete Source Code Review service deliverables will be a detailed report with sections tailored for different audiences.
- Executive Summary
- This section contains a summary of the number of issues identified and critical action items with the suggestion that needs to be assigned for fixing.
- Architecture Review
- This section will outline the structural findings and suggest feedback regarding the comprehensive structure of the source code.
- Detailed Findings
- This section will contain detailed findings from the review conducted in reference to the source code lines, files, number of lines to provide a fine-grained reference for developers to identify and remediate the findings.
- Findings will include a detailed description of issues found, why it is identified as an issue with steps of improvement.
- Recommend steps to fix the identified gaps.
- This section of the report will contain information gathered by the code reviewer which might include a suggestion on improving the quality of the code and any other suggestion he might want to convey to the technical team.
- Detailed information and evidence that has been used for reference.
Benefits of source code review
- Improve your overall application security, feel and features. Its is considered the first thing to do to improve code quality and software quality.
- Fix bugs early when they are cheap to fix which will reduce overall project time and cost.
- Consistent design and implementation which produces higher-quality software.
- Adherence to coding standards/conventions.
- Ability to comply with internal audits, ISO audits including various industry certifications.
- Will build the confidence of stakeholders.
Industries we support
Construction & Real Estate
Consumer, Entertainment, Retail
Education & Nonprofit
Healthcare & Life Sciences
Manufacturing & Distribution
Technology & Software
What We Offer
Information Security Services
Complete Security Configuration
We provide detailed analysis and verification of the configuration settings of your IT infrastructure to detect vulnerabilities and report on fixes to be implemented.
Rootfloe is highly technical and professional with respect to their performance and can undertake large complex tasks very accurately and achieve all objectives as per regulations. Their services come highly recommended.
COO, Leading BSFI Company.
We are extremely satisfied with the level of service and dedication shown by rootfloe’s technical and management in every step of the engagement. They maintained and always adhere to their time schedule. We received numerous recommendations after they assessed our systems and I would be extremely pleased to say that my systems are safe now. I would recommend rootfloe to my network of business associates and will be engaging them on a regular basis.
CEO, Spanish Solar Company.
Rootfloe’s team was were extremely competent to and methodical in the assessment of our applications. They were successful in diagnosing multiple flaws hidden in the application. The final report rootfloe submitted was very comprehensive and contained all the information needed for our developers to fix all the issues. Rootfloe technical help was available at every step and always answered all our queries put forward and helped us fix all the issues that we couldn’t and helped us achieve IT’s best practices. We are thankful to them for all their help and would definitely refer them to other organizations looking to get their IT systems in order. I would be engaging with them on a timely basis henceforth.
CTO, United Kingdom. Internet Service Provider.
When my IT team told me that they needed a security audit for our website I thought Y would I need one? We contacted a couple of cybersecurity services providers and my technical team explained all the issues we faced, and the only company who were ready to explain clearly all the issues were rootfloe, And then we engaged with them for web application VAPT they told our team where the issue is and helped our team fix all the issues and we have also used their service for a complete security audit of our organization we came to know there were major security gaps that need to be fixed. Rootfloe helped us technically to rectify and fix the security gaps. We are now using rootfloe service on a full-time basis and now have a rootfloe staff within our payroll for all our cybersecurity and cyber compliance needs.
CEO, UnitedKingdom, Leading Prototype Manufacturing Facility.
We contacted Rootfloe when my finance team was hacked and lost £ 8000. We were referred to rootfloe by a friend of mine in the computer sector. Once called for the technical help a single-person from rootfloe arrived I thought what would he do? He checked all the system connected his computer to ours and did some tests and found a backdoor entry into the accounts system CMS where the hacker got access to payment to be made where we store the account number and bank details of the vendors we pay and the hacker changed the account number of the vendor to his account number and we made the payment. I didn’t even know it was even possible. Once the issue was noticed and rectified which only took them 3 days to find where the entry point was. We were recommended to undergo an IT security audit and my IT staff rectified all the issues that were bought forward. I would be engaging and recommending rootfloe to all.
Chairman, United Kingdom, Leading Food Manufacture facility.
Ready to see how RootFloe can help?
Need a hand with your security program? Let our cyber security experts help.