Source Code Audit

The aim of a Source Code Audit is to discover possible security breaches, bugs or possible human mistakes during the process of programming.

To develop an effective Source Code Audit, the best practice is to follow a methodology. CTDSec uses the guidelines set out in the OWASP Code Review Guide a reference standard in this type of projects.

Source code audit

Service features

The key point when auditing the code of an application of a certain complexity or size is to know the context and other key characteristics of it. The team that carries out the project will aim at this stage to become familiar with the following aspects of the application:

Code

The objective of the project will be to define the possible improvements to implement good security practices in the development

Context

It is necessary to become familiar with the application that is going to be reviewed

Public

it may be convenient to have the collaboration of the users of the applications that provide information about the audited application

Topology

status of the application and its components within the context of the network

Importance

it is necessary to know the need for availability of the application and the effect of the loss of it for the business.
Methodology

Scope of the tests

Authentication

It is audited that all internal and external connections (users and entities) pass through an appropriate authentication system and ensure that these controls can not be exceeded; all pages or zones of the application require proper authentication; those points where credentials or sensitive information are transmitted using POST methods; etc.

Authorization

It is verified that the appropriate authorization mechanisms have been implemented; clearly defined user types or profiles and the rights of those users; the premise of "minimum privileges" is used; authorization in each request; etc.

Cookies Management

It is reviewed that cookies do not include sensitive information; that unauthorized actions can not be carried out by manipulation; encryption and unsecured transmission are used; the session data is validated correctly and the cookies keeps the least amount of information possible; etc.

Input Data Validation

The audit verifies that there are robust data validation mechanisms and include all the data that can be modified by a malicious user such as HTTP headers, input fields, hidden fields, list data, cookies, headers / data HTTP; that all validation checks for data on the server and not on the client side; that there are no backdoors in the validation model; etc.

Error Management

At this point it is checked that all the methods / functions that return values ​​have a correct error management and return verified and expected values ​​in error conditions. Managing exceptions and error situations; that system errors are not returned to the user; the application fails "safely"; etc.

Registration / Audit

It is audited that no type of sensitive information is stored in the registers of the application: cookies, information on "GET" methods, authentication credentials, etc .; the application records the actions that occur in the application by users and especially in cases of potentially dangerous actions; all authentication events, failed or not, are logged; etc.
Contact

Contact us

Contact us if you are interested in getting more information about a service or you think we can help you.