Source Code Security Review
A review of application source code provides an effective method of identifying insecure development patterns, logic flaws, and other subtle vulnerabilities that can be missed during application penetration testing. Members of Insomnia Security’s code review team are experienced in auditing all modern application development languages and frameworks across a wide variety of platforms.
Using both automated and manual review methods to ensure comprehensive coverage, the team at Insomnia Security can conduct a review of the entire code base or a targeted review that focusses only on security relevant areas such as authentication and authorisation, exposed interfaces and the handling of user supplied data.
Providing access to the source code allows testers to quickly identify vulnerabilities in authentication and authorisation flows; weaknesses in data validation leading to injection attacks; logic flaws; issues with application workflows; and the use of insecure methods or functions.
In addition to those generic issues, specific vulnerabilities can also be uncovered depending on the type of application under review, including:
Web Applications and Web Services
Issues relating to the acceptance and handling of user supplied input, database interaction, XML query processing, session handling, and the detection of other vulnerabilities such as those covered by the OWASP Top 10 list.
Thick Client Applications
Issues including client-side security controls, registry data storage, local authentication bypass, handling of temporary data files, memory leaks and buffer overflows, and race conditions.
Issues such as Jailbreak and device root detection, local data storage and validation, key exchange and encryption usage, and the use of security settings and configurations.