Source code audit
A source code audit to assess the security level of your applications.
Guarantee the technical robustness of your applications with code auditing
L’source code audit enables you toevaluate the security level of one or more components of an application or softwareto ensure that specification and design rules and best practices have been respected.
It can be carried out with a view to improving the quality of existing code, or to identifying potential flaws for future attacks.
This type of audit gives the company an overview of the quality of its source code, with a view to improving security and compliance.
Following this audit, our experts make recommendations.
Discover the benefits of a source code audit
- Identify bad programming practices that can lead to vulnerabilities ;
- Identify ways of improving existing code;
- Gain an in-depth view of the application's security (exhaustive analysis, more in-depth than an intrusion test);
- Make developers aware of the importance of integrating security into application development (DevSecOps);
- Integrate audit results into documentation of best practices for secure development ;
- Gain visibility of the application's high-level architecture.
As Synetis is a PASSI-qualified company, source code audits can be carried out under this qualification as defined by ANSSI. This applies, for example, to the audit of a Restricted Diffusion network or a SecNumCloud qualification.
Rely on a rigorous, proven approach
Resources
Our methodology is based on interviews with developers, code analysis and associated documentation.
These sources of information are evaluated against a wide range of standards, such as those of OWASP, ANSSI, software publishers’ recommendations, frameworks/applications documentation, etc.
Control points
These information sources are sampled to focus on the most critical safety features.
Here are the main control points systematically checked by our auditors during a code review:
User input management: validation, filtering and follow-up
“Never trust the user”: this is the fundamental rule when developing interactive applications. The robustness and consistency of the chosen methods are studied, with the aim of uncovering potential security flaws and areas for improvement.
- Application bricks that interact with user-supplied data (strings, links, files, etc.) are systematically checked to ensure that they have undergone prior processing, known as “sanitization”. Several methods are available to developers for sanitizing user input:
- Special character filtering ;
- Using an intermediate framework ;
- Data type validation ;
- Antivirus scanning of files uploaded by users ;
- …
- The application’s interaction with third-party databases and services is also analyzed to ensure the implementation of secure development practices:
- Setting up prepared queries ;
- Data transmission using an encrypted protocol ;
- …
Interconnection between application bricks
An application generally integrates numerous services, whether through explicit separation of frontend and backend, the presence of an API, interconnection with a database or email services.
In this case, the security of these interconnections can also be assessed by means of a source code audit, to determine whether access control mechanisms are correctly taken into account, whether particular network configurations are set up, or whether adequate encryption measures are implemented.
For example, the source code audit takes the following points into account:
- Secure TLS connections to other applications ;
- Manage SQL database connection rights.
Authentication and session tracking
The quality of authentication and session mechanisms is studied to ensure their robustness in the face of various attacks (brute force, session fixing, session bypassing, etc.). Compromising these mechanisms could jeopardize the confidentiality, integrity and availability of data hosted on the application. The following security aspects are checked during a code review:
- Password reset mechanism (randomness and token integrity) ;
- Handling authentication failures ;
- Hazard, confidentiality and integrity of the session token: JWT, cookie configuration, Basic Auth, etc ;
- Session duration: expiry and renewal ;
- Implementation of a query control mechanism to prevent dictionary or brute-force attacks;
- Robust password policy ;
- Anti-CSRF protection mechanism.
Access control
Access control is a key aspect of application security, ensuring that users can only interact with data that matches their permissions. According to OWASP, access control vulnerabilities are the most common in Web applications:
- No exposure of sensitive application information: level of opacity of information (no disclosure of sensitive information);
- Security of access control implementation: access to other users’ data (horizontal) and access to administration functions (vertical);
- Direct object referencing and predictability of identifiers.
Logic bugs
- Ease of use (control of operation sequencing) ;
- Consistency of session object construction in a tunnel ;
- Boundary conditions and overflow.
Exposure of sensitive information and encryption
Sensitive data must be encrypted and the source code must not contain any confidential information:
- Secret management: ensure that no confidential information (passwords, salt, pepper, session tokens) is included in the source code;
- Using configuration files and environment variables ;
- Use of state-of-the-art algorithms and robust key sizes ;
- Protecting access to secrets.
Traceability of actions
Logging is essential to ensure the traceability of events that may occur during an application’s lifecycle. However, it is important to ensure that the data stored is not of a sensitive nature. The following control points are examined:
- Filtering or validation of data saved in logs ;
- Cleansing of personal data from logs (passwords, credit cards, personal information, etc.);
- Consistent identification of event sources (application or module causing the error, error or action code, date and time of occurrence, actor who triggered the error or action).
Application base configuration
- Environment variables are used to configure the application base, rather than being integrated directly into the source code;
- Regular dependency updates ;
- Web server configuration: directory listing, error pages, debug mode, etc.
Analysis method
The purpose of analyzing code samples is to :
- Analyze relevant results from automatic tools, to identify whether they have a security impact or are the result of programming errors. This analysis provides a rough idea of the overall security of the code.
- Manually analyze the code of functions identified as critical and offer an opinion on the security of the function's implementation. This security analysis calls on the auditor's expertise to identify deviations from programming practices and vulnerabilities in the context of the general audit.
Presentation of results and deliverables
The auditors assess the application’s security by reviewing the OWASP TOP 10 and highlighting good and bad security practices.
Auditors are likely to identify exploitable vulnerabilities in the code. If vulnerabilities are identified, Synetis also offers the possibility of demonstrating their exploitability through penetration tests.
Languages covered by our experts
Our auditors audited a variety of applications designed with the following programming languages :
- C / C++
- Java
- JavaScript / NodeJS
- .Net , C#
- Python
- Perl
- PHP
- Ruby
- Shell / PowerShell
- SQL
A source code audit enables your organization to assess the security level of its applications or software. Following this audit, it may be appropriate to consider an intrusion test to simulate real attack scenarios.