Our code reviews can pinpoint remotely exploitable flaws which simply cannot be found in black-box assessments.
Access to code allows security assessment to pinpoint numerous classes of potentially high-risk flaws which would not otherwise be visible, including:
– Unreferenced API methods, endpoints or parameter values with powerful functionality, which are callable but not displayed in the UI;
– Vulnerable code paths, which may be seldom encountered within normal application usage;
– Vulnerable server-side calls which may allow onward compromise but do not display significant feedback to the attacker as to their operation (examples could include “blind injection” bugs or logging of sensitive data on the server side);
– Any subtleties in the code which may need submission of specially crafted attacks in order to trigger exploitation, such as code which manipulates input in a specific way.