Source code audit
Source code audit is the only way to ensure that the wide set of bugs are not present in the application. It provides much higher assurance than black- or gray- box penetration testing. Our specialists are skilled in a wide range of programming languages and frameworks and can identify technology specific vulnerabilities and bad coding patterns. For some of static analyzers we create custom rules which adopt to the Customer team coding style. We always do manual code review facilitated with regular expression search to identify locations with unsafe functions, legacy code, external interfaces/controllers, security decisions, cryptography and other sensitive routines. Below the list of technologies which we support:
- PHP and most popular CMS and frameworks, including Laravel/Yii/SymfonyWordpress/Joomla/Drupal/Magento.
- .Net C#, and its use for thick clients and ASP.NET
- JavaEE and code based on every popular container, including Tomcat/Glassfish/JBoss/Jetty and frameworks like Struts/Spring
- Android Java
- MacOS/iOS Objective-C/Swift
- C/C++ for a variety platform and compilers VC/GCC
Project case: PHP application source code audit
The goal of the project was to assess the security level of the application’s source code based on the Laravel framework. The source code was verified by the automated scanners, and false-positive findings were removed during manual verification. In addition a thorough review was conducted of critical application logic source code pieces, controllers, views and models. As a result, the customer has received a detailed report with recommendations and the training about security coding was conducted for the development and QA teams. Some of identified bugs were:
- Hardcoded passwords.
- SQL injections the Laravel RAW database queries.
- XSS in the views which were displaying user data without proper escaping
- Insufficient validation of the OAuth2 requests, which allowed JWT stealing.