 |
 |
Often security testing is placed into two types of tests, these being static and
dynamic. Dynamic testing is performed in real-time and whilst the code is
running and helps to identify "run-time" level vulnerabilities that include
attacks such as Authentication, Authorisation, Denial of service and other forms
of web/application level attacks. To identify these dynamic threats, a
penetration test is typically run to identify vulnerabilities. Static analysis
is targeted at looking at threats prior to the run-time environment. In a number
of cases, identifying common issues such as SQL Injection, Cross Site Scripting,
Cryptographic failures and programming failures are much easier to identify with
static analysis.
The Appsecure team has been working alongside industry developers such as
HP/Fortify, IBM, Veracode and Microsoft to perform static analysis either
through manual or automated means. Appsecure is not aligned with any particular
vendor, however, we understand the business and technical benefits these
providers bring to the market and increase the ability to quickly and cost
effectively perform analysis of applications. Our source code review program can
be provided in a number of approaches. The following describes a number of
options for source code review that Appsecure can perform.
Although Appsecure has specialities in code review for Web Applications, we also
continue to complete assessments on backend server based applications, Mobile
applications (iPhone etc), middleware and database systems. Our team has
extensive experience in language security and development including .NET (C#,
VB.NET, J, C++), ASP, HTML, Code Fusion, PHP, Objective-C, Javascript, Perl,
Phython, C, Java, SQL, XML and many more.
Hybrid Source Code Review
The hybrid analysis model uses a mixture of both automated and manual source
code analysis. We typically determine the best technology (aligned with
language) and use this coupled with the team's experience in source code writing
and review to conduct the assessment. When using automated tools, every finding
is verified and validated by the review team prior to release to the client.
This ensures that false positives are not provided in the final report.
Automated Source Code Review
An automated source code review program is offered to clients, requiring a low
risk application to be quickly scanned for high-risk vulnerabilities and to
determine the overall security posture of the application. This is completed in
some cases where the client requires a "maturity" understanding of the
application quickly within a smaller budget.
Manual Source Code Review
The manual source code review, removes the use of automated tools and our
consultants will review the code manually across the system. In some cases, this
is the only option if the source code is written in an language unsupported by
scanning vendors on the market. Similar results are achieved with this method,
however, due to the size and nature of applications, typically a full manual
assessment is time consuming.
Another option available with minimal source code review, is the Appsecure
Hybrid Assurance Assessment. This is designed to gain the best of everything
within a reasonable time frame and budget. For more information on our assurance
programs, please read the assurance sections of our site or talk with one of our
team members today.
|
|
 |
 |
|
Strategic Security |
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Education & Awareness |
|
|
|
|
|
|
|
|
|
Research & Testing |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
Are you a client? Our client portal provides real-time access to your reports,
as well as our knowledge portal and secure file transfer.
|
|
 |