Audit of source code
Evaluate the level of security!
What is a source code audit?
In its general recommendations and guides, the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) recommends periodic security audits.
Indeed, in the IT hygiene guide the ANSSI specifies that the audit is the only way to concretely observe the effectiveness of measures implemented in the field. This statement concerns both the notion of organizational audit and technical audit.
The code security audit is part of the set of security audits that allow toevaluate the security level of one or several components of an information system. The review of the source code is thus an essential step that allows to identify the implementations targeted by the analysis and to evaluate their compliance.
Use of consistent naming conventions so that the programmer can easily understand the role of each function and parameter (maintenance and maintainability);
Level of opacity of information (no disclosure of sensitive information) ;
Ease of use (control of operation sequencing).
The objective of the code sample analysis is to:
The auditor is likely to identify exploitable vulnerabilities in the code. The identified vulnerabilities are then qualified following the CVSSv3 method. In the case where vulnerabilities are identified, Synetis proposes to verify their exploitability through penetration tests.
Our method is based on a static analysis of the code via a so-called "white box" approach. The use of several automated code analysis techniques combined with a manual review are carried out, while confronting the observations with the OWASP and Synetis good development practice guidelines.
Vulnerabilities detected during our source code audits may include lack of inbound or outbound data filtering, lack of protection of sensitive data exchanged, poor error handling that may introduce exposure of sensitive data, unmaintainable code, etc.
Protection and monitoring of
Our Audit experts
answer your questions