Source Code Review

Source Code Review Services

What is source code review?

Also known as security code review it is the process of strategic auditing of the entire source code of web, mobile and thick-lined applications (An application which runs on a user’s machine) and verifies if and whether proper security controls are present and in turn, work as intended.

When is source code review incorporated?

A source code review for your application is advised to be incorporated into the development life cycle at a very early stage, hence reducing the cost and time it takes developers and security analysts to remediate applications flaws and security bugs.

Types of source code review:

  • Manual source code review- Our security experts will manually go through every line of your application.
  • Automated source code review- Our security experts will use licensed tools and assess your application.
  • Hybrid source code review- Our security experts will assess your application by manually going through each and every line of your application as well as using licenced tools to review your source code for maximum coverage.

Typical source code review testing engagement flowchart:

Manual Source Code Review Datasheet

The Rootfloe Source code review security will consist of a manual review of the overall code within the application which will include the following:

  • Architecture and design review of the code with recommendations for improvements.
  • Analysis of data boundary identifying vulnerabilities
  • Identifying the code for the level of trust, weather if any untrusted data source or communication code channels if present.
  • Verify and validate the use of security protocols.
  • Apply and verify existing cipher's to sensitive data including the storage and transmission.
  • 100% coverage of horizontal complete code with cross-cutting concerns for code quality analysis.
  • 100% coverage of vertical complete code of transaction flows for code quality analysis.

Rootfloe source review Methodology

Rootfloe source review will cover 100% of the source code of the software manually. This method of auditing/reviewing the source code for the application will validate the following effects which will include the security control, the logic of the source code, the functionally of the source code and verify whether it has implemented an effective use of the language used to build the application. And specifically will review the security, language and architecture of the code used.

The Methodology Consist of five phases:

Phase One:

In this phase, Rootfloe examines and validates the basic structure and solution organizations of the source code.

During this phase, the following will be probed:

  • File/ folder structure examination of the source code.
  • Security Organization
    1. Verifying any intermingling of publicly, privately sensitive files.
    2. Verifying the authenticity of keys and certificates.
  • Functional Organization
    1. Examination of code, configuration, development  Vs. deployment and support of static content.
    2. Examination of solution-centric Vs. Component-centric.
  • Verification of scalability factor
    1. Checking scalability against single-server solution Vs. data centre solutions.
    2. Verification of synchronization vulnerabilities due do scalability.

Phase Two:

In this phase, Rootfloe will distinguish the number of pages within the application using crawling tools.

The following check will be undertaken:

  • Foreign Value Checks
    1. Consisting of Method/Function ,parameters,Return Values.
  • Cohesion
    1. Grouping similar functionality with units with marked boundaries of the source code.
  • Coupling
    1. Identifying the level of interaction of source code between /across unit boundaries.
  • Application Level Communication protocol
    1. Verification and Validity of handshakes between Client/Server.
  • Validating the solution domain topology
    1. Verification of systems, subsystems, modules and units are hierarchically divided.

Phase Three:

In this phase, Rootfloe will review the language and logic to validate if they are written to the highest set standard including reviewing ineffective and insecure code.

  • Consistency Type
  • Convention Naming
  • Ability to read the code
  • Commenting on levels
  • Depth Nesting
  • Validating logic patterns  Eg,.if (x==null) return true ;else return false ;vs.return x==null;
  • Valadiating programming functionally like arrow functions ,lambdas ,LINQ and templated classes.
  • Validating scope specifiers like private, public, protected and internal for:
    1. Identifying unmanaged objects/resources.
    2. String Handling.
    3. Identifying cut/paste/tweak of code snippets.

Phase Four:

In this phase, Rootfloe will identify and verify the data flows and business logic of the source code of the said application.

  1. Will identify and verify the inbound /outbound paths including route handlers. Ie,.Client and server-side.
  2. Will undertake materialization, validation, verification, transfer, transformation and persistence of the available data units and validate and verify the different methods used for handling security risk.
  3. Verifying and informing the validity of business logic for vulnerabilities for maintenance.

Phase Five:

In this phase, Rootfle will report the documented results and respond to the queries form the client-side.

Deliverables

Complete Source Code Review service deliverables will be a detailed report with sections tailored for different audiences.

  • Executive Summary
    • This section contains a summary of the number of issues identified and critical action items with the suggestion that needs to be assigned for fixing.
  • Architecture Review
    • This section will outline the structural findings and suggest feedback regarding the comprehensive structure of the source code.
  • Detailed Findings
    • This section will contain detailed findings from the review conducted in reference to the source code lines, files, number of lines to provide a fine-grained reference for developers to identify and remediate the findings. 
    • Findings will include a detailed description of issues found, why it is identified as an issue with steps of improvement.
    • Recommend steps to fix the identified gaps.
  • Observations
    • This section of the report will contain information gathered by the code reviewer which might include a suggestion on improving the quality of the code and any other suggestion he might want to convey to the technical team.
  • Appendices
    • Detailed information and evidence that has been used for reference.

Benefits of source code review

  • Improve your overall application security, feel and features. Its is considered the first thing to do to improve code quality and software quality.
  • Fix bugs early when they are cheap to fix which will reduce overall project time and cost.
  • Consistent design and implementation which produces higher-quality software.
  • Adherence to coding standards/conventions.
  • Ability to comply with internal audits, ISO audits including various industry certifications.
  • Will build the confidence of stakeholders.
 

Industries we support


Construction & Real Estate

Consumer, Entertainment, Retail

Education & Nonprofit

Energy

Financial Services

Healthcare & Life Sciences

Manufacturing & Distribution

Professional Services

Public Sector

Technology & Software

What We Offer

Information Security Services

Penetration Testing

We will test your organization’s entire network, web and mobile applications for vulnerabilities that can be exploited by hackers and report the fixes to be implemented.

Read more

Source Code Review

We will review the entire written code of your application for vulnerabilities that can be exploited by hackers and report the fixes to be implemented.

Read more

Complete Security Configuration

We provide detailed analysis and verification of the configuration settings of your IT infrastructure to detect vulnerabilities and report on fixes to be implemented.

Read more

Firewall Security

We review your firewall and verify the controls for vulnerabilities that can be exploited by hackers and report the fixes to be implemented.

Read more

Cybersecurity Compliance Services

We will assist you to get complied to the cybersecurity standards such as GDPR, ISO, Cyber Essential, Cyber Essential plus, IT general Audit and HIPAA.

Read more

Threat Intelligence

We will conduct a threat analysis on your overall organization for vulnerabilities that can be exploited by hackers(Internal & External) and submit a report.

Read more

Application Development

We will help develop the best applications with excellent cybersecurity standards for your Organizations.

Read more

Talent Management

We will provide highly skilled technical candidates for your organization be it short or long term.

Read more

Testimonials

Ready to see how RootFloe can help?

Need a hand with your security program? Let our cyber security experts help.