{"id":22690,"date":"2026-01-07T10:34:19","date_gmt":"2026-01-07T10:34:19","guid":{"rendered":"https:\/\/www.synetis.com\/ssi-audit\/safety-audits\/source-code-audit\/"},"modified":"2026-05-11T12:06:18","modified_gmt":"2026-05-11T12:06:18","slug":"source-code-audit","status":"publish","type":"page","link":"https:\/\/www.synetis.com\/en\/ssi-audit\/safety-audits\/source-code-audit\/","title":{"rendered":"Source code audit"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"22690\" class=\"elementor elementor-22690 elementor-10524\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7832a80 e-flex e-con-boxed e-con e-parent\" data-id=\"7832a80\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-3e4f659 e-con-full e-flex e-con e-child\" data-id=\"3e4f659\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c3605d1 elementor-widget elementor-widget-shortcode\" data-id=\"c3605d1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\"><div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t<a href=\"https:\/\/www.synetis.com\/en\/\" title=\"Accueil\">Accueil<\/a>\n<\/span><span class=\"aioseo-breadcrumb-separator\">\u203a<\/span><span class=\"aioseo-breadcrumb\">\n\t<a href=\"https:\/\/www.synetis.com\/en\/ssi-audit\/\" title=\"SSI audit\">SSI audit<\/a>\n<\/span><span class=\"aioseo-breadcrumb-separator\">\u203a<\/span><span class=\"aioseo-breadcrumb\">\n\t<a href=\"https:\/\/www.synetis.com\/en\/ssi-audit\/safety-audits\/\" title=\"Safety audits\">Safety audits<\/a>\n<\/span><span class=\"aioseo-breadcrumb-separator\">\u203a<\/span><span class=\"aioseo-breadcrumb\">\n\tSource code audit\n<\/span><\/div><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-30325ff elementor-widget elementor-widget-heading\" data-id=\"30325ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Source code audit<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-05554ba elementor-widget elementor-widget-text-editor\" data-id=\"05554ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-208d7a7 elementor-widget elementor-widget-text-editor\" data-id=\"208d7a7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p><span style=\"font-weight: 400;\">A source code audit to assess the security level of your applications.<\/span><\/p>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-897e4aa elementor-widget elementor-widget-button\" data-id=\"897e4aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/www.synetis.com\/en\/contact\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact our teams<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c0162c2 e-flex e-con-boxed e-con e-parent\" data-id=\"c0162c2\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5a04d67 elementor-widget elementor-widget-heading\" data-id=\"5a04d67\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Objective of a source code audit<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7cca607 elementor-widget elementor-widget-text-editor\" data-id=\"7cca607\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<ul>\n<li>Identification of potential risks within the audited perimeter;<\/li>\n<li>An action plan including recommended remedies in the specific context of the target system;<\/li>\n<li>Enhanced data protection;<\/li>\n<li>Optimizing IT resources;<\/li>\n<li>Verify the security of your architecture to prevent future incidents.<\/li>\n<\/ul>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">L&#8217;<\/span><b>source code audit<\/b><span style=\"font-weight: 400;\"> enables you to<\/span><b>evaluate the security level of one or more components of an application<\/b> <b>or software<\/b><span style=\"font-weight: 400;\">to ensure that specification and design rules and best practices have been respected.<\/span><\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">It can be carried out with a view to improving the quality of existing code, or to identifying potential flaws for future attacks.<\/span><\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">This type of audit gives the company an overview of the quality of its source code, with a view to improving security and compliance.<\/span><\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">Following this audit, the experts make recommendations.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-af5828d e-flex e-con-boxed e-con e-parent\" data-id=\"af5828d\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-032e07a elementor-widget elementor-widget-heading\" data-id=\"032e07a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Benefits expected from a source code audit<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3b73412 elementor-widget elementor-widget-text-editor\" data-id=\"3b73412\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">A security source code audit enables your organization to :<\/span><\/p>\n<p> <\/p>\n<ul>\n<li aria-level=\"1\">Identify bad programming practices that can lead to vulnerabilities ;<\/li>\n<li aria-level=\"1\">Identify ways of improving existing code;<\/li>\n<li aria-level=\"1\">Gain an in-depth view of the application&#8217;s security (exhaustive analysis, more in-depth than an intrusion test);<\/li>\n<li aria-level=\"1\">Make developers aware of the importance of integrating security into application development (DevSecOps);<\/li>\n<li aria-level=\"1\">Integrate audit results into documentation of best practices for secure development ;<\/li>\n<li aria-level=\"1\">Gain visibility of the application&#8217;s high-level architecture.<\/li>\n<\/ul>\n<p> <\/p>\n<p>As Synetis is a PASSI-qualified company, source code audits can be carried out under this qualification as defined by ANSSI. This applies, for example, to the audit of a Restricted Diffusion network or a SecNumCloud qualification. <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4dfaf54 e-flex e-con-boxed e-con e-parent\" data-id=\"4dfaf54\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-810e8d4 elementor-widget elementor-widget-heading\" data-id=\"810e8d4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Source code audit methodology<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19efdae elementor-widget elementor-widget-heading\" data-id=\"19efdae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Resources<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-79bd4b6 elementor-widget elementor-widget-text-editor\" data-id=\"79bd4b6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Our methodology is based on interviews with developers, code analysis and associated documentation.<\/span><\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">These sources of information are evaluated against a wide range of standards, such as those of OWASP, ANSSI, software publishers&#8217; recommendations, frameworks\/applications documentation, etc.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f3288c elementor-widget elementor-widget-heading\" data-id=\"7f3288c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Control points<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0693bbf elementor-widget elementor-widget-text-editor\" data-id=\"0693bbf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">These information sources are sampled in order to focus on the most critical security functionalities. Here are the main control points systematically verified by our auditors during a code review: <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b01f2a2 e-n-tabs-mobile elementor-widget elementor-widget-n-tabs\" data-id=\"b01f2a2\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;tabs_justify_horizontal&quot;:&quot;start&quot;,&quot;horizontal_scroll&quot;:&quot;disable&quot;}\" data-widget_type=\"nested-tabs.default\">\n\t\t\t\t\t\t\t<div class=\"e-n-tabs\" data-widget-number=\"184677026\" aria-label=\"Tabs. Open items with Enter or Space, close with Escape and navigate using the Arrow keys.\">\n\t\t\t<div class=\"e-n-tabs-heading\" role=\"tablist\">\n\t\t\t\t\t<button id=\"e-n-tab-title-1846770261\" data-tab-title-id=\"e-n-tab-title-1846770261\" class=\"e-n-tab-title\" aria-selected=\"true\" data-tab-index=\"1\" role=\"tab\" tabindex=\"0\" aria-controls=\"e-n-tab-content-1846770261\" style=\"--n-tabs-title-order: 1;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tUser input management: validation, filtering and follow-up  \t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770262\" data-tab-title-id=\"e-n-tab-title-1846770262\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"2\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770262\" style=\"--n-tabs-title-order: 2;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tInterconnection between application bricks\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770263\" data-tab-title-id=\"e-n-tab-title-1846770263\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"3\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770263\" style=\"--n-tabs-title-order: 3;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tAuthentication and session tracking\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770264\" data-tab-title-id=\"e-n-tab-title-1846770264\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"4\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770264\" style=\"--n-tabs-title-order: 4;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tAccess control\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770265\" data-tab-title-id=\"e-n-tab-title-1846770265\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"5\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770265\" style=\"--n-tabs-title-order: 5;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tLogic bugs\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770266\" data-tab-title-id=\"e-n-tab-title-1846770266\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"6\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770266\" style=\"--n-tabs-title-order: 6;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tExposure of sensitive information and encryption\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770267\" data-tab-title-id=\"e-n-tab-title-1846770267\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"7\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770267\" style=\"--n-tabs-title-order: 7;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tTraceability of actions\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t<button id=\"e-n-tab-title-1846770268\" data-tab-title-id=\"e-n-tab-title-1846770268\" class=\"e-n-tab-title\" aria-selected=\"false\" data-tab-index=\"8\" role=\"tab\" tabindex=\"-1\" aria-controls=\"e-n-tab-content-1846770268\" style=\"--n-tabs-title-order: 8;\">\n\t\t\t\t\t\t<span class=\"e-n-tab-title-text\">\n\t\t\t\tApplication base configuration\t\t\t<\/span>\n\t\t<\/button>\n\t\t\t\t\t<\/div>\n\t\t\t<div class=\"e-n-tabs-content\">\n\t\t\t\t<div id=\"e-n-tab-content-1846770261\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770261\" data-tab-index=\"1\" style=\"--n-tabs-title-order: 1;\" class=\"e-active elementor-element elementor-element-7a4275e e-con-full e-flex e-con e-child\" data-id=\"7a4275e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-6f8fc14 e-flex e-con-boxed e-con e-child\" data-id=\"6f8fc14\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-91eeec7 elementor-widget elementor-widget-text-editor\" data-id=\"91eeec7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">&#8220;Never trust the user&#8221;: this is the fundamental rule when developing interactive applications. The robustness and consistency of the chosen methods are studied, with the aim of uncovering potential security flaws and areas for improvement. <\/span><\/p>\n<p> <\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Application bricks that interact with user-supplied data (strings, links, files, etc.) are systematically checked to ensure that they have undergone prior processing, known as &#8220;sanitization&#8221;. Several methods are available to developers for sanitizing user input:   <\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Special character filtering ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Using an intermediate framework ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Data type validation ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Antivirus scanning of files uploaded by users ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">&#8230;<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">The application&#8217;s interaction with third-party databases and services is also analyzed to ensure the implementation of secure development practices:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Setting up prepared queries ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">Data transmission using an encrypted protocol ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"3\"><span style=\"font-weight: 400;\">&#8230;<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770262\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770262\" data-tab-index=\"2\" style=\"--n-tabs-title-order: 2;\" class=\" elementor-element elementor-element-87ed440 e-con-full e-flex e-con e-child\" data-id=\"87ed440\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-8bea724 e-flex e-con-boxed e-con e-child\" data-id=\"8bea724\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0da3260 elementor-widget elementor-widget-text-editor\" data-id=\"0da3260\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p><span style=\"font-weight: 400;\">An application generally integrates numerous services, either through the explicit separation of the <\/span><i><span style=\"font-weight: 400;\">frontend<\/span><\/i><span style=\"font-weight: 400;\"> and <\/span><i><span style=\"font-weight: 400;\">backend<\/span><\/i><span style=\"font-weight: 400;\">the presence of an <\/span><i><span style=\"font-weight: 400;\">API<\/span><\/i><span style=\"font-weight: 400;\">interconnection with a database or email services. <\/span> <\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">In this case, the security of these interconnections can also be assessed by means of a source code audit, to determine whether access control mechanisms are correctly taken into account, whether particular network configurations are set up, or whether adequate encryption measures are implemented.  <\/span><\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">For example, the source code audit takes the following points into account:  <\/span><\/p>\n<p> <\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Secure TLS connections to other applications ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Manage SQL database connection rights.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770263\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770263\" data-tab-index=\"3\" style=\"--n-tabs-title-order: 3;\" class=\" elementor-element elementor-element-fa8861d e-con-full e-flex e-con e-child\" data-id=\"fa8861d\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-d7fb4d6 e-flex e-con-boxed e-con e-child\" data-id=\"d7fb4d6\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ad2f390 elementor-widget elementor-widget-text-editor\" data-id=\"ad2f390\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p><span style=\"font-weight: 400;\">The quality of authentication and session mechanisms is studied to ensure their robustness in the face of various attacks (brute force, session fixing, session bypassing, etc.). Compromising these mechanisms could jeopardize the confidentiality, integrity and availability of data hosted on the application. The following security aspects are checked during a code review:    <\/span><\/p>\n<p> <\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Password reset mechanism (randomness and token integrity) ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Handling authentication failures ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Hazard, confidentiality and integrity of the session token: JWT, cookie configuration, Basic Auth, etc ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Session duration: expiry and renewal ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Implementation of a query control mechanism to prevent dictionary or brute-force attacks;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Robust password policy ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Anti-CSRF protection mechanism.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770264\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770264\" data-tab-index=\"4\" style=\"--n-tabs-title-order: 4;\" class=\" elementor-element elementor-element-fc47dc2 e-con-full e-flex e-con e-child\" data-id=\"fc47dc2\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-ccb79ba e-flex e-con-boxed e-con e-child\" data-id=\"ccb79ba\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-74cf808 elementor-widget elementor-widget-text-editor\" data-id=\"74cf808\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p><span style=\"font-weight: 400;\">Access control is a key aspect of application security, ensuring that users can only interact with data that matches their permissions. According to OWASP, access control vulnerabilities are the most common in Web applications: <\/span><\/p>\n<p> <\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">No exposure of sensitive application information: level of opacity of information (no disclosure of sensitive information);<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Security of access control implementation: access to other users&#8217; data (horizontal) and access to administration functions (vertical);<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Direct object referencing and predictability of identifiers.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770265\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770265\" data-tab-index=\"5\" style=\"--n-tabs-title-order: 5;\" class=\" elementor-element elementor-element-184bade e-con-full e-flex e-con e-child\" data-id=\"184bade\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-a8f4a37 e-flex e-con-boxed e-con e-child\" data-id=\"a8f4a37\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c5c242e elementor-widget elementor-widget-text-editor\" data-id=\"c5c242e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Ease of use (control of operation sequencing) ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Consistency of session object construction in a tunnel ;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Boundary conditions and overflow.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770266\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770266\" data-tab-index=\"6\" style=\"--n-tabs-title-order: 6;\" class=\" elementor-element elementor-element-00fb68a e-con-full e-flex e-con e-child\" data-id=\"00fb68a\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-7dd55e3 e-flex e-con-boxed e-con e-child\" data-id=\"7dd55e3\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b9d7cbc elementor-widget elementor-widget-text-editor\" data-id=\"b9d7cbc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p><span style=\"font-weight: 400;\">Sensitive data must be encrypted and the source code must not contain any confidential information:  <\/span><\/p>\n<p> <\/p>\n<ul>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Secret management: ensure that no confidential information is included in the source code (passwords, salt, pepper, session tokens);<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Using configuration files and environment variables ;<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Use of state-of-the-art algorithms and robust key sizes ;<\/span><\/li>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Protecting access to secrets.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770267\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770267\" data-tab-index=\"7\" style=\"--n-tabs-title-order: 7;\" class=\" elementor-element elementor-element-413c1c2 e-con-full e-flex e-con e-child\" data-id=\"413c1c2\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-a842be6 e-flex e-con-boxed e-con e-child\" data-id=\"a842be6\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-38870ba elementor-widget elementor-widget-text-editor\" data-id=\"38870ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<p><span style=\"font-weight: 400;\">Logging is essential to ensure the traceability of events that may occur during an application&#8217;s lifecycle. However, it is important to ensure that the data stored is not of a sensitive nature. The following control points are examined:  <\/span><\/p>\n<p> <\/p>\n<ul>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Filtering or validation of data saved in logs ;<\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Cleansing of personal data from logs (passwords, credit cards, personal information, etc.);<\/span><\/li>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Consistent identification of event sources (application or module causing the error, error or action code, date and time of occurrence, actor who triggered the error or action).<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div id=\"e-n-tab-content-1846770268\" role=\"tabpanel\" aria-labelledby=\"e-n-tab-title-1846770268\" data-tab-index=\"8\" style=\"--n-tabs-title-order: 8;\" class=\" elementor-element elementor-element-6db56e1 e-con-full e-flex e-con e-child\" data-id=\"6db56e1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-59a989e e-flex e-con-boxed e-con e-child\" data-id=\"59a989e\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ce2f3df elementor-widget elementor-widget-text-editor\" data-id=\"ce2f3df\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e734f74 elementor-widget elementor-widget-text-editor\" data-id=\"e734f74\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n<div class=\"elementor-widget-container\">\n<ul>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Environment variables are used to configure the application base, rather than being integrated directly into the source code;<\/span><\/li>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Regular dependency updates ;<\/span><\/li>\n<li aria-level=\"2\"><span style=\"font-weight: 400;\">Web server configuration: directory listing, error pages, debug mode, etc.<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e9e2089 e-flex e-con-boxed e-con e-parent\" data-id=\"e9e2089\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0fec5ec elementor-widget elementor-widget-heading\" data-id=\"0fec5ec\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Analysis method<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7216104 elementor-widget elementor-widget-text-editor\" data-id=\"7216104\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The purpose of analyzing code samples is to :<\/span><\/p>\n<p> <\/p>\n<ul>\n<li>Analyze relevant results from automatic tools, to identify whether they have a security impact or are the result of programming errors. This analysis provides a rough idea of the overall security of the code; <\/li>\n<\/ul>\n<p> <\/p>\n<ul>\n<li>Manually analyze the code of functions identified as critical and offer an opinion on the security of the function&#8217;s implementation. This security analysis calls on the auditor&#8217;s expertise to identify deviations from programming practices and vulnerabilities in the context of the general audit. <\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8a5393d elementor-widget elementor-widget-heading\" data-id=\"8a5393d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Presentation of results and deliverables<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8a0e664 elementor-widget elementor-widget-text-editor\" data-id=\"8a0e664\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The auditors assess the application&#8217;s security by reviewing the OWASP TOP 10 and highlighting good and bad security practices.<\/span><\/p>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">Auditors are likely to identify exploitable vulnerabilities in the code. If vulnerabilities are identified, Synetis also offers the possibility of demonstrating their exploitability through <a title=\"penetration testing\" href=\"https:\/\/www.synetis.com\/expertises\/audit\/tests-intrusion\/\" target=\"_blank\" rel=\"noopener\">penetration tests<\/a>. <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-78c2e41 e-flex e-con-boxed e-con e-parent\" data-id=\"78c2e41\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-cab1247 elementor-widget elementor-widget-heading\" data-id=\"cab1247\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Languages covered by our experts<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1788894 elementor-widget elementor-widget-text-editor\" data-id=\"1788894\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Our auditors audited a variety of applications designed with the following programming languages<\/span><b> :<\/b><\/p>\n<p> <\/p>\n<ul>\n<li>C \/ C++<\/li>\n<li>Java<\/li>\n<li>JavaScript \/ NodeJS<\/li>\n<li>.Net , C#<\/li>\n<li>Python<\/li>\n<li>Perl<\/li>\n<li>PHP<\/li>\n<li>Ruby<\/li>\n<li>Shell \/ PowerShell<\/li>\n<li>SQL<\/li>\n<\/ul>\n<p> <\/p>\n<p><span style=\"font-weight: 400;\">A source code audit enables your organization to assess the security level of its applications or software. Following this audit, it may be appropriate to consider an <a title=\"penetration testing\" href=\"https:\/\/www.synetis.com\/expertises\/audit\/tests-intrusion\/\" target=\"_blank\" rel=\"noopener\">intrusion test<\/a> to simulate real attack scenarios. <\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Source code audit A source code audit to assess the security level of your applications. Contact our teams Objective of a source code audit Identification of potential risks within the audited perimeter; An action plan including recommended remedies in the specific context of the target system; Enhanced data protection; Optimizing IT resources; Verify the security [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"parent":22669,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"class_list":["post-22690","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/pages\/22690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/comments?post=22690"}],"version-history":[{"count":1,"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/pages\/22690\/revisions"}],"predecessor-version":[{"id":22693,"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/pages\/22690\/revisions\/22693"}],"up":[{"embeddable":true,"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/pages\/22669"}],"wp:attachment":[{"href":"https:\/\/www.synetis.com\/en\/wp-json\/wp\/v2\/media?parent=22690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}