Share:
What is a source code audit?
In its general recommendations and guides, the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) recommends periodic security audits.
Indeed, in the IT hygiene guide the ANSSI specifies that the audit is the only way to concretely observe the effectiveness of measures implemented in the field. This statement concerns both the notion of organizational audit and technical audit.
The code security audit is part of the set of security audits that allow toevaluate the security level of one or several components of an information system. The review of the source code is thus an essential step that allows to identify the implementations targeted by the analysis and to evaluate their compliance.
Use of consistent naming conventions so that the programmer can easily understand the role of each function and parameter (maintenance and maintainability);
Level of opacity of information (no disclosure of sensitive information) ;
Ease of use (control of operation sequencing).
- A sampling phase that identifies the application's sensitive points and guides the security analysis, based in part on the architecture analysis;
- A security analysis that uses the auditor's expertise to identify deviations from programming practices and vulnerabilities in the context of the overall audit.
The objective of the code sample analysis is to:
- Manually analyze the code of the functions identified as critical and propose an opinion on the safety of the implementation of the function ;
- Analyze relevant results from automated tools to identify whether they have a security impact or are the result of programming errors.
The auditor is likely to identify exploitable vulnerabilities in the code. The identified vulnerabilities are then qualified following the CVSSv3 method. In the case where vulnerabilities are identified, Synetis proposes to verify their exploitability through penetration tests.
- C / C++
- Java
- Java script
- Python
- Perl
- PHP
- Ruby
- Shell/PowerShell
- SQL
Our method is based on a static analysis of the code via a so-called "white box" approach. The use of several automated code analysis techniques combined with a manual review are carried out, while confronting the observations with the OWASP and Synetis good development practice guidelines.
Vulnerabilities detected during our source code audits may include lack of inbound or outbound data filtering, lack of protection of sensitive data exchanged, poor error handling that may introduce exposure of sensitive data, unmaintainable code, etc.
