Security Code Review Engine
Your code is only as strong as your weakest link.
Security Code Review
Many vulnerabilities cannot be discovered without looking at the code, and for many other vulnerabilities, a manual code review is simply more efficient than scanning or testing. Manual code review is the only way that several key security controls can be verified including access control, encryption, data protection, logging, and back-end system communications and usage.
Aspect advocates the use of code review as a part of our application assessment approach. Our use of code review makes our assessments more comprehensive and more accurate than any other approach. The use of code review also makes reviews more cost-effective.
You have to exercise regularly in order to take advantage of the full benefits of exercise. Similarly, code review must be anchored on a routine task and one of the best approaches to cement security code review into your SDLC is to anchor it on the nightly build, it could also be anchored on a different SDLC phase.
CypherSec uses vulnerability scanning tools, both commercial and proprietary, as a part of our application assessment process. Combined with code review and security testing, our approach is more cost-effective and accurate than any other approach. We tailor scanning tools in order to get a high-quality scan, and then carefully diagnose, consolidate, and verify all of the automatically generated data.
Tools are not very good at understanding logic, and consequently finding logic problems. Tools are also not very good at finding problems with certain functionalities such as authorization bypass or parameter tampering. That’s why you will need to get your hands dirty from time to time.