Most Commercial-off-the-shelf (COTS) software available for reviewing source code from a security perspective is fairly limited and not very extensible. Here is an example of some of the standard approaches to Source Code Auditing that some professionals currently employed include:
- Histrocially developers perform Black Box tests against and applicaiton and review the results.
- Use of a contractro to review 3 to 5 percent of the code and look for systemic problems and then report back to the development team with the results.
Features
eSentire provides 100% full source code coverage using our source code analysis tool suite. Our approach provides analysis in conjunction with a security analyst that brings extensive expertise to problem areas. We review data flow from inputs to usage of information and verify that each path through the code meets industry standard security requirements. This approach uncovers a multitude of common vulnerabilities that are less likely to be found when using only an automated tool.
Sample Vulnerabilities:
- Cross Site Scription Attacks
- SQL Injection Attacks
- Cross Site Referencing
- Information Leakage
- Content Spoofing
Benefits
eSentire provides an extensible tool suite and assists with the tuning to meet each customer’s environment, and business rules that are to be verified. Automating source code analysis is only one part of the picture; the second involves professionals working with appropriate tools and processes to ensure that the results are more dependable than you get with an off-the-shelf product.
- Full Souce Code Audit service
- Remediation of issues found
- Education of programmers on best security practices
- Flexible tool suite you can use internally to run check on new code
- Yearly updates requiring less time and effort once baseline is created
Source Code Languages
- JSP (Java Servier Pages)
- C #
- PHP
- Microsoft VB ASP (Active Server Pages)