Security Code Review - is a systematic examination of software source code intended to identify insecure coding techniques, practices and vulnerabilities that could lead to security issues.
With increasing reliance on outsourced software development, the protection of corporate and/or entrusted information is becoming increasingly important. Organizations use or include parts of externally developed code in their own to expedite development processes without having time to fully understand provided code and its functionality.
Furthermore, internal software development groups usually are under tremendous pressure to deliver product along with intended functionality. This usually results in security being overlooked. The actual functionality that gets implemented in the final code rarely covers the intended functionality
This is the grey area that unfortunately companies nowadays finds out from the press, instead of proactively finding it themselves. These problems range from requirements that should have been implemented but were not, previously unknown functionality, to controls that were implemented incompletely or incorrectly. Most security vulnerabilities are the unintentional side effects of implemented functionality. By not being aware of the vulnerabilities within its code, a company faces the risk of being breached and not knowing it.
This will not only place the company at risk, but also the entrusted information of business partners and its clients. The outcome of the public relations fallout could be devastating for the business of the company. For this reason Selective Code Audit and Review activities are part of security compliance and usually are exercised on the time of a major software development release. While it is possible to identify security vulnerabilities in the source code manually, most companies do not have the skilled security resources or time available within the software development lifecycle that a complete manual code review requires. Many companies are in this situation and often as a result, they decide to perform a selective code review of a portion of their software code.
With extensive experience in software development audits, RSS Inc. offers an Selective Code Audit and Review Service that caters to client needs, of all industries and sizes. Our service encompasses both security and privacy risks. Our seasoned professionals have performed software audits and re-engineering engagements in various public and private sector organizations.
During the engagement, RSS Inc. team will perform various scenarios and test-cycle activities that will encompass the following:
Analysis - through observation of information exchange, most prevalent in protocol
reverse engineering. This involves using bus analyzers and packet sniffers for accessing
a computer bus or computer network connection and revealing the traffic data;
Disassembly - using a disassembler, meaning the raw machine language of the program
read and understood in its own terms, only with the aid of machine language mnemonics;
Decompilation - using a decompiler, a process that tries, with varying results, to recreate
the source code in higher level language from a program only available in machine code.
Furthermore, if required, our team will customize its activities to execute:
Reverse Engineering specific tests
Automated Application Licensing Model tests
Attacking the software dependencies
Software License specific tests
Engagement outcomes will be summarized in a final written report along with the findings, recommendations and supporting evidence. RSS Inc. team will recommend the improvements in a pragmatic manner taking into consideration the current code development practices. This will ensure that our clients are familiar with the recommendations and improvements we are suggesting. Our team will ensure that the proposed plan of mitigation activities augments the client's engagement goals and the overall corporate security governance journey.
RSS Inc. team will work in tandem with the client assigned team throughout the entire engagement thus ensuring completeness of the knowledge sharing.
By engaging RSS Inc. as a neutral third party auditor, clientele will be provided with unbiased information of identified vulnerability within its internally developed software code. Furthermore, it will enable companies to utilize seasoned professionals who have played a technology audit role in various public and private sector organizations. By bringing the external experience to the table, our clients will be in the position to shorten the security code development maturing phase.
The immediate benefit of a Selective Code Audit and Review Service for an organization is to identify vulnerabilities within the software code before an adversary can find them. It allows for the chance to identify weaknesses in security controls set in place to prevent and/or detect vulnerabilities.
This provides a proactive approach towards identifying vulnerabilities, misconfigured settings, and/or missing secure software development controls.
By having access to industry-leading security specialists, the client can rest assure that the assessment will be non-intrusive to their operations.
The pragmatic recommendations, stemming from engagement findings, will enable companies to utilize their software code securely and to prioritize budgetary funds in the quest to enforce corporate compliance.
Overall, Selective Code Audit and Review activities will help in corporate risk mitigation by minimizing the potential disruptions of business activities. This service will also deliver value by ensuring that the promised benefits match up against the strategy.
RSS Inc. team will provide mid and long-term plans containing milestones for improving application security controls.