Code reviews are typically conducted by organisations who wish to ensure that their code is free from vulnerabilities or attack vectors which could be exploited to negatively impact the confidentiality, integrity and availability of applications and data.
Context’s code reviews are designed to identify potential vulnerabilities within the code; detail the potential impact on the business of each vulnerability found and the ease and likelihood of each of those vulnerabilities being exploited; and provide recommendations for their mitigation or elimination.
A review may begin by running automated software against the target source code. The software reads source code files and converts them to a structure more suitable for security analysis. It contains a number of source code analyzers which check that the code base complies with secure coding practices. It then categorises, ranks and provides detailed descriptions of all the issues identified. This approach enables Context to review a large number of lines of code in a relatively short period of time. It also provides a solid baseline and an appropriate starting point for manual verification of potential vulnerabilities.
Despite the benefits of automated code review, it is commonly accepted that the use of automated software generates false positives. It is therefore essential that the findings of the automated software are also investigated and verified manually by an experienced security consultant. Context will also perform manual checks on code relating to elements of the application that perform security functions, such as input validation, authorisation and authentication and session management; and will check for inappropriate or insecure code constructions, cross-site scripting or improper error handling.