Share :
What is source code auditing?
In its general recommendations and guides, ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) recommends periodic security audits.
In fact, in the
computer hygiene guide
the ANSSI specifies that audits are the only way to verify the effectiveness of measures implemented in the field. This applies to both organizational and technical audits.
The code security audit is part of the set of security audits that allow to evaluate the security level of one or more components of an information system. Source code review is therefore an essential step in identifying the implementations targeted by the analysis and assessing their compliance.
The main objective is to evaluate the programming safety of the code to ensure that the rules of good practice in terms of specification and design have been respected:
Use of consistent naming conventions so that the programmer can easily understand the role of each function and parameter (maintenance and maintainability);
Level of information opacity (no disclosure of sensitive information) ;
Ease of use (control of operation sequencing).
For source code reviews, the Synetis methodology proposes a two-step breakdown:
- A sampling phase to identify the application's sensitive points and guide the security analysis, based in part on the architecture analysis;
- A security analysis that calls on the auditor's expertise to identify deviations from programming practices and vulnerabilities in the context of the general audit.
The objective of the analysis of code samples is to :
- Manually analyze the code of functions identified as critical and offer an opinion on the safety of the ;
- Analyze relevant results from automatic tools, to identify whether they have a safety impact or are the result of programming errors.
The auditor is likely to identify exploitable vulnerabilities in the code. Identified vulnerabilities are then qualified using the CVSSv3 method. If vulnerabilities are identified, Synetis proposes to check their exploitability through penetration tests.
We cover the following languages:
- C / C++
- Java
- Java script
- Python
- Perl
- PHP
- Ruby
- Shell/PowerShell
- SQL
Our method is based on a static analysis of the code using a “white box” approach. Several automated code analysis techniques are combined with a manual review, while observations are compared with the OWASP and Synetis good development practice guidelines.
Vulnerabilities detected during our source code audits may include the lack of filtering of incoming or outgoing data, lack of protection of sensitive data exchanged, poor error management that may introduce exposure of sensitive data, unsustainable code, etc.