Code Review

Pragmatic and in-depth code reviews, by the application security experts.

Applications needing a high level of security assurance frequently benefit from code review. This is a part-manual, part-automated activity. MDSec employ a variety of automated scanning tools to cover the entire code base, validating false positives and qualifying issues uncovered in this manner.

Typically, automated scanning tools find around 50% of the possible flaws, being strong within the fields of insecure API usage, unvalidated data and injection. MDSec uses scanners for pragmatic coverage of these areas and augments their use with manual review of areas relating to application logic and design, which scanners are largely unsuited to, including:

  • Authentication-related code
  • Access control
  • Enforcement of business logic
  • Use of Encryption

Our code reviews can pinpoint remotely exploitable flaws which simply cannot be found in black box testing.

Access to code allows security assessment to pinpoint numerous classes of potentially high risk flaws which would not otherwise be visible, including:

  • Unreferenced API methods, endpoints or parameter values with powerful functionality which are callable but not displayed in the UI
  • Vulnerable code paths which may be seldom encountered within normal application usage
  • Vulnerable server-side calls which may allow onward compromise but don’t display significant feedback to the attacker as to their operation (examples could include “blind injection” bugs or logging of sensitive data on the server side)
  • Any subtleties in the code which may need submission of specially crafted attacks in order to trigger exploitation, such as code which manipulates input in a specific way.

Related services include:

 

Ready to start testing your applications?

Speak to one of our industry experts and find out how MDSec can help your business.

+44 (0) 1625 263 503

contact@mdsec.co.uk