This entails a detailed review of the structure, flow control and form of the software by a consultant who is familiar with the programming language used and dependent technologies; thus potential weaknesses will be investigated so that any unsound code can be fixed.
The code review assessment can be applied to any programming language, whether it is for a web application or a standalone binary application.
In the case of a web application, the vulnerabilities our team is looking for are the same as with a Web Application Assessment.
If the code review is needed for a standalone binary software the focus will change to cover a much wider range of security issues specific to compiled languages. Below is a list of the most common issues our team members encounter:
- Integer Overflow or Underflow
- Buffer Overflow (Stack or Heap)
- Race Conditions
- Format Strings
- Dangling Pointers
- Broken or inadequate authentication
- Broken or inadequate authorisation
- Inconsistent implementation throughout a project
- Insecure Direct Object References
- User Enumeration
- Privilege Escalation
- Weak Forgot/Change Password Implementation
- Broken Session Management
- Cross Site Request Forgery (CSRF)
- Injection Flaws (SQL, LDAP, XPATH, Commands, XSS)
- Remote/Local File Inclusion
- Insecure Cryptographic Storage
- Use of Hard-Coded Credentials/Keys