Code Review
We put your code under the microscope
Are you wondering if your application is secure? We point out potential security vulnerabilities in your source code. Most security problems are caused by critical vulnerabilities in applications. Code reviews identify security gaps in the source code thus minimizing potential risks.
A code review is something you should seriously consider, especially for security-relevant applications that provide access to sensitive data. The result of this code review is a report that we send you specifying the vulnerabilities analyzed in the source code according to their criticality, as well as detailed suggestions on how to eliminate them. That way you create more security. Right from the start.
Our methods
In an analysis, we follow a standardized procedure in which the entire source code, or parts of it, are first subjected to an automated scan for vulnerabilities. In the next step, the results of this scan are examined for correctness in a manual process and further attack vectors, for example in the business logic of the application, are identified.
Depending on the kind of application, we use static or manual analysis methods. In doing so, we either look at a section or at your complete application. We check compliance with recognized secure coding guidelines and best practices. Our methods support all common programming languages such as Java, C+, PHP, Python and many more.
In static analysis procedures, also known as SAST (Static Application Security Testing), automated tools are used to identify vulnerabilities. The code is then analyzed manually on the basis of the tool results. The focus here is on reducing false positives and identifying other vulnerabilities that are difficult or impossible to detect using code scanners. Throughout the entire process, the source code of the application is checked without executing it.
Purely static analysis methods reach their limits when errors are based on business logic. This is where the dynamic analysis method used by our experts comes into play. This procedure mixes the SAST and DAST (Dynamic Application Security Testing) models in order to achieve optimal results. The procedure is largely identical to a static analysis, but supplemented by the option of checking the identified vulnerabilities for exploitability using a running application configured close to production. This gives you the best possible picture of the security level of your applications.
Our recommendations for you
In order to obtain a holistic picture of the security level of your application, we recommend carrying out a code review in the form of a dynamic analysis. It is essential that the results are reviewed by an expert in order to provide a realistic assessment. We specifically search for errors in the application and business logic by focusing on typical vulnerabilities such as injection, directory traversal, buffer overflow, privilege escalation, etc. We also analyze the cryptography methods used. We also analyze the cryptographic methods used and check exception handling. Errors in the use of control structures can also be discovered during the comprehensive check.
