DeforaNetworks/pentext
DeforaNetworks/pentext
3
0
Fork 0
Code Releases Activity
pentext/xml/source/snippets/offerte/en/additional-code-audit_methodology.xml
Marcus Bointon da3d6ca109
Code audit tweaks
2017-10-10 11:32:02 +02:00

55 lines
2.4 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Code Audit</title>
<p>
<company_short/>
will perform a code audit to aid pentesting. During a code audit, we
manually examine the code of an application to ensure there are no security
vulnerabilities and use our understanding of the code to guide our
pentesting. If vulnerabilities are found, we document those and suggest ways
to fix them. This is done by highly-trained penetration testers who can both
review the raw code as well as interpret the findings of the automated
scans, putting them into context.
</p>
<p>
During the code audit portion of penetration tests, we take the following
criteria into account:
</p>
<ol>
<li>Risk Assessment and Threat Modeling
<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/>
employees have a backdoor into data, and cut loose stolen devices by
wiping them remotely and revoking accounts.
</li>
<li>Purpose and Context
<br/>
Here we focus on risks related to the purpose of the code. Context related
risks can differ for, for instance, upload and access source code compared
to source code for web applications.
</li>
<li>Complexity
<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also focus on implementation mistakes and known
flaws in the systems. For example, we'd ensure you're using the latest
versions of software, but we wouldn't delve into the framework itself.
Since we assume the code is written by a team, it should be
clearly-written code. If you have several full-release versions, there
will undoubtedly be several revisions and audits on that code.
</li>
</ol>
<p>
For more information, please refer to this link:
<a
href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">
https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents
</a>
</p>
</section>
View Git Blame Copy Permalink