Code audit

Applications at the heart of critical processes

Corporate processes are essentially based on the use of applications developed by their internal teams or by external service providers. Generally exposed to the outside world, or dealing with critical processes, they become attack vectors for hackers. The main causes of this security failure are:

• The lack of respect of good security practices during the development of these applications.
• Insufficient security testing before going into production
• The absence of a certification process for applications

The code review aims at identifying the security flaws of the application related to its functionalities and its design as well as its development method.

With the increasing complexity of applications and the generalization of the agile method (e.g. DevOps method), traditional test methods may not detect all the security flaws present in the applications. It is necessary to analyze the application code, the external components (library, API, authentication tools, etc.) and the configurations.

More than 300,000 Android users have downloaded a banking application containing a Trojan virus.

Source : Threat Fabric

Avoiding Trojan Horses

The process of auditing the source code of an application verifies that the security features and the control method are present in the code, that they work as expected and that they have been used in the right places.

The source code audit approach adopted by HumanOne is as follows :

• Understand the context of the application and define the scope;
• Collect source files and analyze their structure;
• Sample the files and functions of the code to be audited;
• Perform the automated static analysis via dedicated tools;
• Carry out manual static analysis on critical elements;
• Consider a dynamic analysis (highlighting flaws);
• Document the findings and recommendations.

The code audit is done according to OWASP, MITRE, CSA (Cloud Security Alliance) best practices, etc…