Source code audits

What is source code auditing?

Source code audits check the level of security of one or more components of an information system. A source code review is thus a crucial step in identifying the implementations targeted by the analysis and assessing their conformity.

The main objective is to evaluate the programming safety of the code in order to ensure that the rules of good practice in terms of specification and design have been respected:
  • Use of consistent naming conventions so that the programmer easily understands the role of each function and parameter (maintenance and maintainability)
  • Level of opacity of information (no disclosure of sensitive information)
  • Ease of use (control of operation sequencing)
For source code reviews, the Synetis methodology proposes a two-step breakdown:
  • A sampling phase to identify the sensitive points of the application and guide the security analysis, based in part on the architecture analysis.
  • A security analysis that draws on the auditor’s expertise to identify deviations from programming best practices and vulnerabilities, as part of the overall audit.
Sample source code is analyzed in order to:
  • manually analyze the code for those functions identified as critical, and to yield our informed opinion on the security of the function as implemented
  • analyze relevant results from automated tools to identify whether they have an impact on security or are the result of programming errors.
The auditor is likely to identify exploitable vulnerabilities in the code. The identified vulnerabilities are then qualified using the CVSSv3 method. If vulnerabilities are identified, Synetis recommends verifying their exploitability through intrusion tests. We cover the following languages:
  • C / C++
  • Java
  • Javascript
  • Python
  • Perl
  • PHP
  • Ruby
  • Shell/PowerShell
  • SQL
Our method is based on a static analysis of the code via a “white box” approach. The use of several automated code analysis tools combined with a manual review are carried out, while comparing the observations with the OWASP and Synetis best practices development standards. Vulnerabilities detected during our source code audits can include: lack of filtering of incoming or outgoing data; lack of protection of sensitive data transmitted; poor error management that could expose sensitive data; code that is too difficult to maintain, etc.

Build your

Cybersecurity

with Synetis!