Pacific Global Security Group
  • Home
  • Government
  • Services
  • vCISO
  • CMMC
  • About Us
  • Contact Us
  • More
    • Home
    • Government
    • Services
    • vCISO
    • CMMC
    • About Us
    • Contact Us
Pacific Global Security Group
  • Home
  • Government
  • Services
  • vCISO
  • CMMC
  • About Us
  • Contact Us

Source Code Review Services

 

What is source code review?

Also known as security code review it is the process of strategic auditing of the entire source code of web, mobile and thick-lined applications (An application which runs on a user’s machine) and verifies if and whether proper security controls are present and in turn, work as intended.

When is source code review incorporated?

A source code review for your application is advised to be incorporated into the development life cycle at a very early stage, hence reducing the cost and time it takes developers and security analysts to remediate applications flaws and security bugs.

Types of source code review:

  • Manual source code review- Our security experts will manually go through every line of your application.
  • Automated source code review- Our security experts will use licensed tools and assess your application.
  • Hybrid source code review- Our security experts will assess your application by manually going through each and every line of your application as well as using licensed tools to review your source code for maximum coverage.


Manual Source Code Review Datasheet

The Pac-Sec Source code review security will consist of a manual review of the overall code within the application which will include the following:

  • Architecture and design review of the code with recommendations for improvements.
  • Analysis of data boundary identifying vulnerabilities
  • Identifying the code for the level of trust, weather if any untrusted data source or communication code channels if present.
  • Verify and validate the use of security protocols.
  • Apply and verify existing cipher's to sensitive data including the storage and transmission.
  • 100% coverage of horizontal complete code with cross-cutting concerns for code quality analysis.
  • 100% coverage of vertical complete code of transaction flows for code quality analysis.


Pac-sec source review Methodology

Pac-Sec source review will cover 100% of the source code of the software manually. This method of auditing/reviewing the source code for the application will validate the following effects which will include the security control, the logic of the source code, the functionally of the source code and verify whether it has implemented an effective use of the language used to build the application. And specifically will review the security, language and architecture of the code used.

The Methodology Consist of five phases:


Phase One:

In this phase, Pac-Sec examines and validates the basic structure and solution organizations of the source code.

During this phase, the following will be probed:

  • File/ folder structure examination of the source code.
  • Security Organization
    1. Verifying any intermingling of publicly, privately sensitive files.
    2. Verifying the authenticity of keys and certificates.

  • Functional Organization
    1. Examination of code, configuration, development  Vs. deployment and support of static content.
    2. Examination of solution-centric Vs. Component-centric.

  • Verification of scalability factor
    1. Checking scalability against single-server solution Vs. data center solutions.
    2. Verification of synchronization vulnerabilities due do scalability.

Phase Two:

In this phase, Pac-Sec will distinguish the number of pages within the application using crawling tools.

The following check will be undertaken:

  • Foreign Value Checks
    1. Consisting of Method/Function ,parameters,Return Values.

  • Cohesion
    1. Grouping similar functionality with units with marked boundaries of the source code.

  • Coupling
    1. Identifying the level of interaction of source code between /across unit boundaries.

  • Application Level Communication protocol
    1. Verification and Validity of handshakes between Client/Server.

  • Validating the solution domain topology
    1. Verification of systems, subsystems, modules and units are hierarchically divided.

Phase Three:

In this phase, Pac-Sec will review the language and logic to validate if they are written to the highest set standard including reviewing ineffective and insecure code.

  • Consistency Type
  • Convention Naming
  • Ability to read the code
  • Commenting on levels
  • Depth Nesting
  • Validating logic patterns  Eg,.if (x==null) return true ;else return false ;vs.return x==null;
  • Validating programming functionally like arrow functions ,lambdas ,LINQ and templated classes.
  • Validating scope specifiers like private, public, protected and internal for:
    1. Identifying unmanaged objects/resources.
    2. String Handling.
    3. Identifying cut/paste/tweak of code snippets.

Phase Four:

In this phase, Pac-Sec will identify and verify the data flows and business logic of the source code of the said application.

  1. Will identify and verify the inbound /outbound paths including route handlers. Ie,.Client and server-side.
  2. Will undertake materialization, validation, verification, transfer, transformation and persistence of the available data units and validate and verify the different methods used for handling security risk.
  3. Verifying and informing the validity of business logic for vulnerabilities for maintenance.

Phase Five:

In this phase, Pac-Sec will report the documented results and respond to the queries form the client-side.


Deliverables

Complete Source Code Review service deliverables will be a detailed report with sections tailored for different audiences.

  • Executive Summary
    • This section contains a summary of the number of issues identified and critical action items with the suggestion that needs to be assigned for fixing.
  • Architecture Review
    • This section will outline the structural findings and suggest feedback regarding the comprehensive structure of the source code.
  • Detailed Findings
    • This section will contain detailed findings from the review conducted in reference to the source code lines, files, number of lines to provide a fine-grained reference for developers to identify and remediate the findings. 
    • Findings will include a detailed description of issues found, why it is identified as an issue with steps of improvement.
    • Recommend steps to fix the identified gaps.
  • Observations
    • This section of the report will contain information gathered by the code reviewer which might include a suggestion on improving the quality of the code and any other suggestion he might want to convey to the technical team.
  • Appendices
    • Detailed information and evidence that has been used for reference.


Benefits of source code review

  • Improve your overall application security, feel and features. Its is considered the first thing to do to improve code quality and software quality.
  • Fix bugs early when they are cheap to fix which will reduce overall project time and cost.
  • Consistent design and implementation which produces higher-quality software.
  • Adherence to coding standards/conventions.
  • Ability to comply with internal audits, ISO audits including various industry certifications.
  • Will build the confidence of stakeholders.

Copyright © 2021 Pacific Global Security Group LLC- All Rights Reserved.