Source Code Analysis
Source code analysis – also known as Static Application Security Testing (SAST) – reveals programming errors that can have an impact on security directly in the source code itself. It can be performed throughout the development phase and guides the developer to the root of the problem.
Manual Source Code Analysis
We offer our SAST Quick Wins process, a lean and high-performance approach, wherever manual source code analysis is requested or required for security problems.
Programming errors responsible for security loopholes often occur at typical, systematically identifiable positions in the code and configuration in modern web applications. Our SAST Quick Wins process enables them to be tested at a realistic cost, thereby significantly increasing the security of a web application. The process is also ideal as a preparatory supplement to a penetration test.
The following are examined:
- Incorrect server configuration (web.xml, web.config, machine.config, config.php, etc.)
- Incorrect logging configuration (log4j, log4net, log4php, etc.)
- Incorrect framework configuration (Struts, Spring, Hibernate, NHibernate, etc.)
- Incorrect use of validators
- Cross-site scripting (XSS) through incorrect response data validation in the HTML generated
- SQL injection, LDAP injection, XPATH injection, other command injection
- Use of inadequate cryptography
- Insecure shell calls
- Insecure API calls
- Insecure session management, including cookie definition
- Use of passwords in plain text
- Information disclosure via the console
- Defective error handling
- Existence of “FixMes” and “To-dos” in the source code
- Presence of suspicious keywords (“bypass”, “backdoor”, etc.)
You will receive a comprehensive report as a result of our analysis, which describes every problem area tested, highlighting the corresponding points in the source code. We also provide general information or best practices to solve the problem. This is intended to easily enable a developer to find the corresponding problem, understand it and eliminate it.
- Workshops in which the results are discussed and the optimum approaches developed to arrive at a solution.
- Creation of programming rules and specifications extrapolated from the results (“Secure coding guidelines“).
Automatic Static Code Analysis
We use one of the many tools available on the market for static code analysis, tailored to your specific needs, – also known as the Static Application Security Testing (SAST) tool – and provide the results in a form understandable to managers and developers.
Automatic source code analysis, as a method for testing security, delivers a – frequently better – alternative to penetration testing or provides maximum security when combined with it. The possibilities for using this method are very far-reaching and range from a quick scan providing a high level of information to integration into the overall software development lifecycle (SDLC). Allow us to advise you on how you can best utilise this high-performance tool to secure your web applications in the long term and achieve the best trade-off between cost and security. We offer the following tests:
SAST quick test
This test has the objective of providing basic security for the web application under review at minimum expenditure.
- You transmit the source code to us (buildable status) or we visit your offices.
- We clarify in advance the protection needs and define your requirements and objectives.
- We then use high-performance tools to analyse the application.
- We review the findings in line with the pre-defined specification and
- provide you with a report of the results.
SAST integrated analysis/Pentest
This test combines the performance of automatic source code analysis (refer to the SAST Quick Test) with the benefits of a penetration test to achieve an analysis result that delivers maximum security.
Comprehensive code-based web application security
We provide comprehensive advice about how you can best utilise the most powerful approach to achieve secure web applications – code-based and tool-supported source code analysis. In doing so, we consider
- Differentiation from and/or integration of other web application security measures
- Integration options in the software development lifecycle (SDLC)
- Impact on release processes
- Improvement of other software quality features
- Improvement of developers’ skill levels in the development of secure web applications
Source code analysis versus penetration tests
Automatic source code analysis and penetration tests both have their strengths – it comes down to their correct use! Below are some features of both of these approaches:
Automatic source code analysis
- Systematic, comprehensive approach
- The vulnerabilities uncovered and the recommended actions are described in the developers’ language
- Analysis is clearly comprehensible, generally end-to-end analysis
- Provides information even during the development phase
- Component tests are possible
- Makes an effective contribution to training developers
- Knowledge of security becomes an integral part of the project or the entire organisation, not just provided by individual people
- Uncovers vulnerabilities a penetration test will not find
Penetration tests/External analysis
- Involves the entire system (web server, etc.) in the analysis
- Easy to perform
- Finds vulnerabilities that source code analysis cannot find or cannot reliably find