46 lines
2.6 KiB
XML
46 lines
2.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section>
|
|
<title>Code Audit</title>
|
|
<p>
|
|
<company_short/> will perform a code audit. During this process we will verify if the proper
|
|
security controls are present, work as intended and are implemented correctly.
|
|
If vulnerabilities are found, we determine the threat level by assessing the
|
|
likelihood of exploitation of this vulnerability and the impact on the
|
|
Confidentiality, Integrity and Availability (CIA) of the system. We will describe how an
|
|
attacker would exploit the vulnerability and suggest ways of fixing it.<br/>
|
|
This requires an extensive knowledge of the platform the application is running on, as well
|
|
as the extensive knowledge of the language the application in written
|
|
in and patterns that have been used. Therefore a code audit done by highly-trained
|
|
specialists with a strong background in programming.
|
|
</p>
|
|
<p>
|
|
During the code audit, we take the following approach:
|
|
</p>
|
|
<ol>
|
|
<li>Thorough comprehension of functionality<br/>
|
|
We try to get a thorough comprehension of how the application works and how
|
|
it interacts with the user and other systems. Having detailed documentation
|
|
(manuals, flow charts, system sequence diagrams, design documentation) at
|
|
this stage is very helpful, as they aid the understanding of the application
|
|
</li>
|
|
<li>Static analysis<br/>
|
|
Using the understanding we gained in the previous step, we will use static code
|
|
analysis to uncover any vulnerabilities. Static analysis means the specialist will
|
|
analyze the code and implementation of security controls to get an understanding of
|
|
the security of the application, rather than running the application to reach the same
|
|
goal. This is primarily a manual process, where the specialist relies on his knowledge and expertise
|
|
to find the flaws in the application. The specialist may be aided in this process by
|
|
automatic analysis tools, but his or her skills are the driving force.<br/>
|
|
Depending on the type of application, we will identify the endpoints. In this case, it means
|
|
where data enters and leaves the application. The data is then followed through the application
|
|
and is leading in determining if assessing the quality of the security measures.
|
|
</li>
|
|
|
|
<li>Dynamic analysis<br/>
|
|
Dynamic analysis can also be performed. In this case, the program
|
|
is run and actively exploited by the specialist. This is usually done to confirm
|
|
a vulnerability and as such follows the result of the static analysis.
|
|
</li>
|
|
</ol>
|
|
</section>
|