58 lines
2.6 KiB
XML
58 lines
2.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section>
|
|
<title>Code Audit</title>
|
|
<p>
|
|
<company_short/>
|
|
will perform a code audit. During this process we will verify if the proper
|
|
security controls are present, work as intended and are implemented
|
|
correctly. If vulnerabilities are found, we determine the threat level by
|
|
assessing the likelihood of exploitation of this vulnerability and the
|
|
impact on the Confidentiality, Integrity and Availability (CIA) of the
|
|
system. We will describe how an attacker would exploit the vulnerability and
|
|
suggest ways of fixing it.
|
|
<br/>
|
|
This requires an extensive knowledge of the platform the application is
|
|
running on, as well as the extensive knowledge of the language the
|
|
application in written in and patterns that have been used. Therefore a code
|
|
audit done by highly-trained specialists with a strong background in
|
|
programming.
|
|
</p>
|
|
<p>
|
|
During the code audit, we take the following approach:
|
|
</p>
|
|
<ol>
|
|
<li>Thorough comprehension of functionality
|
|
<br/>
|
|
We try to get a thorough comprehension of how the application works and
|
|
how it interacts with the user and other systems. Having detailed
|
|
documentation (manuals, flow charts, system sequence diagrams, design
|
|
documentation) at this stage is very helpful, as they aid the
|
|
understanding of the application
|
|
</li>
|
|
<li>Static analysis
|
|
<br/>
|
|
Using the understanding we gained in the previous step, we will use static
|
|
code analysis to uncover any vulnerabilities. Static analysis means the
|
|
specialist will analyze the code and implementation of security controls
|
|
to get an understanding of the security of the application, rather than
|
|
running the application to reach the same goal. This is primarily a manual
|
|
process, where the specialist relies on his knowledge and expertise to
|
|
find the flaws in the application. The specialist may be aided in this
|
|
process by automatic analysis tools, but his or her skills are the driving
|
|
force.
|
|
<br/>
|
|
Depending on the type of application, we will identify the endpoints. In
|
|
this case, it means where data enters and leaves the application. The data
|
|
is then followed through the application and is leading in determining if
|
|
assessing the quality of the security measures.
|
|
</li>
|
|
|
|
<li>Dynamic analysis
|
|
<br/>
|
|
Dynamic analysis can also be performed. In this case, the program is run
|
|
and actively exploited by the specialist. This is usually done to confirm
|
|
a vulnerability and as such follows the result of the static analysis.
|
|
</li>
|
|
</ol>
|
|
</section>
|