Secure Code Review

Identify application security vulnerabilities earlier in your software development lifecycle – at the source code level.

Secure Code Review

The Need for Secure Code Review and Static Analysis 

Secure Code Review (SCR) and Static Application Security Testing (SAST) are essential security touchpoints in any secure SDLC as an effort to identify and remediate security vulnerabilities earlier in the software development lifecycle. If security vulnerabilities are not detected and addressed earlier through SCR and SAST techniques, the cost of remediating these vulnerabilities can increase exponentially.

Secure Code Review (SCR)

NetSPI will review source code manually to identify vulnerabilities that automated scanners cannot detect. NetSPI reviews the underlying frameworks and libraries that are being leveraged to build the application to determine if there are any known vulnerabilities that can be exploited based on how the application has been stitched together.

Complex injection attacks, use of weak or improper encryption techniques, insecure error handling, authentication and authorization issues are some examples of vulnerabilities that are typically detected using manual techniques. NetSPI also offers a SCR analysis that only reports on the OWASP Top Ten vulnerabilities.

Supported languages include: Java, .Net, SQL, JavaScript Frameworks, C/C++, PHP, and Python.

Static Application Security Testing (SAST)

Static analysis is performed with a combination of commercial, open source, and proprietary tools. All medium severity or higher vulnerabilities are manually reviewed by a security expert to triage and remove any false positives.

Organizations are provided with a report that includes easy to understand descriptions of the vulnerabilities, locations of the instances identified, and actionable remediation guidance. NetSPI also offers a SAST analysis that only reports on the OWASP Top Ten vulnerabilities.

Supported languages include: Java, .Net (C#, ASP, VB), JavaScript Frameworks (Node, React JS, AngularJS), C/C++, PHP, Perl, Python, SQL, Ruby, Android (Java), iOS (Objective-C & Swift) and Go.

Static Application Security Testing (SAST) – Triaging

NetSPI’s SAST triaging service provides support to augment an organization’s application security program and remove any false positive findings before the results are provided to development teams.

SAST triaging enables development teams to focus on issues that need attention and remediation instead of having them spend time validating the exploitability of vulnerabilities. Organizations also gain access to NetSPI’s expert security consultants that can discuss remediation techniques and strategies with the appropriate stakeholders.

Supported SAST Tools include: Checkmarx (CxSAST), Veracode Static Analysis, Fortify on Demand (FOD) / Fortify Static Code Analyzer (SCA), AppScan Source, Coverity Static Application Security Testing (SAST), SonarQube, FindBugs and Microsoft Code Analysis Tool .NET (CAT.NET).

Secure Coding and Remediation – Instructor Led Training

An add-on service made available to our clients after completion of any of NetSPI’s secure code review (SCR) or static application security testing (SAST) engagements.

For an audience of up to 20 students, virtual or in-person, NetSPI will provide a one-day instructor-led training course focused on the top five categories of vulnerabilities identified during engagements performed for the client. The class will discuss in detail each category of vulnerability, see organization specific code examples from recent assessments, and discuss remediation and mitigation techniques.

Secure Code Review Resources

Five Steps for Building an Effective Secure Code Review Program

Creating and running a SCR program is not straight forward and one strategy may not fit all organizations. To help, we’ve compiled five steps to get you started on the right path.

Four Application Security Myths – Debunked

In this blog, we set straight four of the most common myths and misconceptions we hear among those who don’t have robust application security processes in place.

Extreme Makeover: AppSec Edition

Watch this session to learn how leading organizations use different discovery techniques as part of their AppSec program, understand strengths and weaknesses of common vulnerability discovery technologies, and more.