Security Analysis of Source Code
Get an outstanding level of security with our automated and manual analysis of source code of your applications, services and software components! You never get such level of assurance with penetration testing, solely automated code review or any other security activities. This service can be delivered as a separate project, in combination with white-box penetration testing or as a part of Application Security or Security Assessment services.
The objective of this analysis is security assessment of the source code of your systems or applications: checking integrity and consistency of your code, secure coding principles, finding unsafe or deprecated functions, hidden logical bombs and traps, backdoors, undocumented features, non-optimal coding practices and OWASP top 10 vulnerabilities:
- A1: 2017 - Injection
- A2: 2017 - Broken Authentication
- A3: 2017 - Sensitive Data Exposure
- A4: 2017 - XML External Entities (XXE)
- A5: 2017 - Broken Access Control
- A6: 2017 - Security Misconfiguration
- A7: 2017 - Cross-Site Scripting (XSS)
- A8: 2017 - Insecure Deserialization
- A9: 2017 - Using Components with Known Vulnerabilities
- A10: 2017 - Insufficient Logging&Monitoring
We support the following:
- Java EE (JBoss, Tomcat, etc.)
- Java Android
- Objective-C/Swift iOS/MacOS
- your language or platform
- Containers: Docker stack (Compose, Swarm, Machine, Registry), GCE Kubernetes, AWS ECS, Terraform, Vault
- Frameworks and technologies: NodeJS, Socket.IO, WebRTC, PhantomJS, YF framework, Yii, Laravel, Symfony components
- Frontend: Angular 2, AngularJS, ReactJS, JQuery, Less/Sass, Grunt/Gulp/Webpack, Bootstrap 3/4, etc.
- Mobile development (hybrid): Cordova, Ionic framework 1-4, NativeScript, ReactNative
- Desktop development (hybrid): Electron, NWJS, ReactNative
- RDBMS: MySQL / MariaDB / Percona, PostgreSQL, Oracle
- NoSQL: Redis, CouchBase, MongoDB, Cassandra, GCloud Datastorage
- Queues: RabbitMQ, Kafka, Redis, Beanstackd, AWS SQS
- Automation / CI / CD: Jenkins, GitlabCI, TravisCI, CircleCI, Ansible, Bash scripting
- Different virtualization technologies, OSes, SCM, web / proxy / mail servers, cloud and dedicated hosting services, monitoring and backup technologies, blockchain technologies, payment gateways, etc.
To achieve the objectives, the auditors use two methods:
- SAST (Static Application Security Testing), which allows analyzing source code for known vulnerabilities using automated tools.
- Manual source code review and analysis, in order to reveal unsafe and non-optimal coding practices, hidden logical bombs and traps, backdoors and undocumented features.
Report on Security Analysis of Source Code includes:
- Executive summary
- Identified technical and functional vulnerabilities
- Modeling of attack vectors, proof of concept and exploitation of vulnerabilities
- Risk assessment
- Prioritized list of recommendations to mitigate identified weaknesses
Press the button below to order the security analysis of source code.