Audit source code
Assess the level of safety!
What is source code auditing?
In its general recommendations and guides, ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) recommends periodic security audits.
In fact, in the
computer hygiene guide
the ANSSI specifies that audits are the only way to verify the effectiveness of measures implemented in the field. This applies to both organizational and technical audits.
The code security audit is part of the set of security audits that allow to evaluate the security level of one or more components of an information system. Source code review is therefore an essential step in identifying the implementations targeted by the analysis and assessing their compliance.
The main objective is to evaluate the programming safety of the code to ensure that the rules of good practice in terms of specification and design have been respected:
Use of consistent naming conventions so that the programmer can easily understand the role of each function and parameter (maintenance and maintainability);
Level of information opacity (no disclosure of sensitive information) ;
Ease of use (control of operation sequencing).
For source code reviews, the Synetis methodology proposes a two-step breakdown:
The objective of the analysis of code samples is to :
The auditor is likely to identify exploitable vulnerabilities in the code. Identified vulnerabilities are then qualified using the CVSSv3 method. If vulnerabilities are identified, Synetis proposes to check their exploitability through penetration tests.
We cover the following languages:
Our method is based on a static analysis of the code using a “white box” approach. Several automated code analysis techniques are combined with a manual review, while observations are compared with the OWASP and Synetis good development practice guidelines.
Vulnerabilities detected during our source code audits may include the lack of filtering of incoming or outgoing data, lack of protection of sensitive data exchanged, poor error management that may introduce exposure of sensitive data, unsustainable code, etc.
Protection and monitoring of si
Our Audit experts
answer your questions