Source Code Security Assessment
Research has shown that fixing security problems early in the development cycle is more efficient and more cost effective than the traditional penetrate-and-patch model. Foundstone application security consultants use rigorous and efficient source code inspection to identify detrimental software security problems at the onset of the development cycle.
We use commercial inspection tools to help us automate the process, and Foundstone experts manually validate every issue and inspect code to overcome the limitations of automated tools and techniques that are ineffective. Our application security consultants find policy or best practice violations such as inappropriate cryptography algorithms and common semantic language constructs that lead to vulnerabilities.
We have expertise in C, C++, C#, Java™, CFML, and PHP working within development frameworks such as J2EE and the .NET framework; developing on Win32 and UNIX platforms.
Foundstone's capability in source code security assessments extends from our S3i consultants, who have performed source code audits on numerous client applications as well as their own software. Our S3i consultants have all worked as development practitioners on commercial enterprise software systems and understand the software development process as well as why and how security bugs are introduced. Our experience combined with advanced automated tools using contextual analysis enable us to look at more code faster, more accurately, and more effectively than other security consulting services.
When examining any sizeable application, we start by building a threat model in conjunction with the development team. This threat model helps us understand the applications functionality, technical design, and existing security threats and countermeasures. Threat models help us manage the size of the code base we need to examine down to a much smaller scope (typically 40 percent of the code).
Armed with the threat model and a complete understanding of the applications architecture we use automated tools from Secure Software to assess the code for semantic and language security bugs. In general, we are looking for two types of issues: design flaws and implementation bugs. Design flaws include poor design ideas that have been implemented, such as choosing an inappropriate source of randomness for cryptographic key generation. Implementation bugs are typically syntactical or semantic language constructs that lead to security vulnerabilities. Software Magazine has published our work and methodology for code assessments in multiple articles.
Our detailed reports provide specific vulnerability information including line, file locations, the issue itself, and suggested solutions. We also provide an overview, including statistics for code sections such as the number of vulnerabilities density in specific areas (per 1,000 lines of code) and suggested strategic remediation such as the creation of re-useable components or security libraries.
Click here to view a full datasheet about this service.
Contact us to learn how our security services can help you protect your most important assets today.
