Detect and remediate flaws in your system’s code
The basis of all IT systems and applications is source code. Even if a particular system or application is working well from the point of view of functionality, it may still contain serious security weaknesses. If the conditions in which the system or application are used are such that a weakness can be exploited, it gives rise to a vulnerability. If attackers become aware of such a vulnerability, they may exploit it to attack the system or application, or gain access to networks and systems that are connected.
Finding and remediating software vulnerabilities and weaknesses is a major step towards improving the security posture of your systems and applications, and your IT infrastructure in general. UL will first examine the system or application, its context, and potential threats, followed by scoping based on a threat model. The central part of the code review is the actual examination of the source code. This step is followed by reporting and advice to conclude the code review.
During this step, UL will gather key information about the system or application, usage and, where applicable, (intended) deployment environment. The goal is to establish a basis for testing (what is the System under Test) and the criteria for testing (how will we test / against what).
The focus will be to understand the implemented architecture of the system or application and its context, and to identify threats and develop the threat model against which the system or application needs to be tested.
UL will also perform interviews to get information about the Software Development Life Cycle (SDLC), such as whether threat modelling has been used and how new software releases are tested and deployed.
With the system or application architecture and threats clarified, UL will then perform scoping. UL identifies the system or application elements that require code review in the next step because they are critical for security. Using the threat model, UL will create an overview of risks which is then used to scope and guide the code review, specific for certain system elements.
UL will then perform the code review to determine specific vulnerabilities and weaknesses that exist for the system or application element. The review is based on a detailed examination of the architecture and source code. Examples of system or application properties that UL will be checking for, in addition to identifying vulnerabilities and weaknesses, include:
The activities performed during this step are:
The report includes the breakdown of the system or application’s elements in scope, describing the review that was performed and listing any technical (i.e. implementation flaws from developers) and logical (i.e. architectural or design flaws) flaws (vulnerabilities and weaknesses) that have been found. UL will add advice on existing and additional recommended security controls to mitigate identified risks.