Secure Code Review
Code reviews are arguably the most effective way to evaluate application security. If done during the development process, they are also the most cost effective.
Secure code reviews are part of software security best practices. Significant improvements in software security can be realized through a formal review of its design and coding. We use a combination of both manual and automated testing. Static and dynamic testing tools are very helpful in some respects but they do not replace the need for manual review. There is no substitute to actually looking at the code.
There are a number of different approaches to ensure secure code. These include dynamic analysis, static analysis, automated testing, and manual testing. Each of these have their strengths and weaknesses. For the most effective and efficient reviews, a combination of techniques is usually necessary. Salient Security offers three levels of service designed to meet the needs of our clients.
Level I - Automated Static Code Analysis
Static analysis is one of the most effective ways to find vulnerabilities. It involves reviewing source code line by line. This can be done manually or with automated tools. While a manual review by an experienced professional is highly effective, it is also very slow. An assessor might be able to review 100 - 200 lines of code per hour. On the other hand, static code analysis software might be able to scan 100,000 - 200,000 lines of code in the same amount of time.
Automated static code analysis is great at finding issues such as SQL injection and cross-site scripting (XSS). However, there are many other types of security issues that all static analysis tools have trouble identifying, such as those related to logic errors, authentication, and authorization.
Since automated static analysis is the "biggest bang for the buck" all organizations seeking to develop secure code should have it done. We offer this service for only $1,500 per application.
Level II - Combined Manual & Automated Analysis
The only way to ensure that all common types of insecurities are found efficiently is to employ both automated and manual techniques. This is what we do during a Level II assessment. We do this by performing the following tasks:
- Gain an understanding of the applications function (interview developers, review existing documentation)
- Perform threat analysis (threat agents, attack surface, possible attacks, required security controls, potential technical impacts, and important business impacts)
- Identify existing and potential countermeasures
- Conduct manual and automated tests (data validation, authentication, session management, authorization, cryptography, error handling, logging, security configuration, network architecture, logic, etc)
- Report findings
- Assist with remediation / mitigation (optional)
- Perform a reassessment (optional)
Level III - Secure Development Lifecycle Implementation
While a Level II assessment will greatly improve the security of your application, the best way to ensure security is to build it in right from the beginning. This is particularly important if you are developing financial applications or other software that will likely draw considerable attention from hackers. For example, companies developing applications that store, process, or transmit credit card data must ensure that that this is being done. Not only is it prudent, it is a PCI (Payment Card Industry) requirement. Both the PCI-DSS (Data Security Standard) which is applicable to merchants and service providers and the PA-DSS (Payment Application Data Security Standard) which is applicable to payment application vendors require organizations to "Incorporate information security throughout the software development life cycle."
There are also compelling financial reasons to build security into the entire software development lifecycle (SDLC). Studies have shown that it is much less costly to find and fix issues early in the SDLC. For example, a Cigital study compared the cost of fixing 200 security issues at different stages. When all issues were corrected during the Coding phase the cost was just under $200,000. But when the same 200 issues were found and corrected during Testing and Maintenance the cost was almost $2.5 million. More than 10 times more expensive!
Had those same 200 issues been found and fixed during the Requirements phase the cost would have only been $28,000.
Studies such as this make it clear that the sooner security issues are found and corrected, the better off your company will be.
During a Level III engagement, we will work with your company to implement a Secure Development Lifecycle (SDL) process that will help ensure that security is addressed throughout your SDLC. To make the transition as smooth as possible, we will tailor it to work with your existing SDLC methodology (Agile, Scrum, XP, Waterfall, etc.).
Developing secure applications is becoming more and more important. It is also becoming more important to be able to demonstrate to customers, business partners, and regulators that applications are secure. Therefore, once we have completed our assessment and all issues have been addressed, we will issue a Secure Code Certificate such as the one below. You can use this to demonstrate that you have taken appropriate steps to ensure your software is secure.