Application Source Code Review

An application source code review complements application penetration testing with an internal view of the application’s code quality and potential security issues relating to its design. To ascertain an application’s security posture and improve the security of your organisation’s overall development practice, it is recommended to augment results from a penetration test with an application source code review.

A manual review results in an exhaustive view of vulnerabilities related to business logic, authorisation and access management, as well as the application session and state control.

With manual source code reviews, Security-Assessment.com’s experts analyse global application design and architecture documentation, to build a high-level threat model of the application. An analysis is then performed on the application’s source code. From the analysis, and taking the threat model into account, security-relevant portions of the application are identified. Typically, this consists of modules dealing with session management, access controls and any privileged system functions.

The security-relevant application sections are manually reviewed for correctness. Also, where appropriate and possible, the global application is analysed to check if these modules are invoked where they should be invoked, and in the correct fashion.