Code Review


Detect and remediate flaws in your system’s code

The basis of all IT systems and applications is source code. Even if a particular system or application is working well from the point of view of functionality, it may still contain serious security weaknesses. If the conditions in which the system or application are used are such that a weakness can be exploited, it gives rise to a vulnerability. If attackers become aware of such a vulnerability, they may exploit it to attack the system or application, or gain access to networks and systems that are connected.

Finding and remediating software vulnerabilities and weaknesses is a major step towards improving the security posture of your systems and applications, and your IT infrastructure in general. UL will first examine the system or application, its context, and potential threats, followed by scoping based on a threat model. The central part of the code review is the actual examination of the source code. This step is followed by reporting and advice to conclude the code review.

Step 1: Information Gathering

During this step, UL will gather key information about the system or application, usage and, where applicable, (intended) deployment environment. The goal is to establish a basis for testing (what is the System under Test) and the criteria for testing (how will we test / against what).

The focus will be to understand the implemented architecture of the system or application and its context, and to identify threats and develop the threat model against which the system or application needs to be tested.

UL will also perform interviews to get information about the Software Development Life Cycle (SDLC), such as whether threat modelling has been used and how new software releases are tested and deployed.

Step 2: Scoping

With the system or application architecture and threats clarified, UL will then perform scoping. UL identifies the system or application elements that require code review in the next step because they are critical for security. Using the threat model, UL will create an overview of risks which is then used to scope and guide the code review, specific for certain system elements.

Step 3: Code Review

UL will then perform the code review to determine specific vulnerabilities and weaknesses that exist for the system or application element. The review is based on a detailed examination of the architecture and source code. Examples of system or application properties that UL will be checking for, in addition to identifying vulnerabilities and weaknesses, include:

    • Secure data storage
    • Evidence strength
    • Secure user management.
    • Authentication & authorization
    • Session & cache management
    • Data access
    • Data validation & encoding (input & output)
    • Error handling & logging
    • Etc.

The activities performed during this step are:

    • Automated static code analysis: The purpose is to find basic code-level vulnerabilities over (potentially up to millions of) lines of code in an efficient way
    • Manual code analysis: The purpose of this is to reduce false positives or negatives and to check for security controls as countermeasures against identified threats and risks.
    • Process assessment: Some parts of the relevant development and deployment processes are essential in dealing with threats and risks and reviewed here.
    • Maintainability inspection: A maintainability inspection can be performed in order to find parts of the system or application where it is likely that new vulnerabilities will be introduced.

Step 4: Report & Advice

The report includes the breakdown of the system or application’s elements in scope, describing the review that was performed and listing any technical (i.e. implementation flaws from developers) and logical (i.e. architectural or design flaws) flaws (vulnerabilities and weaknesses) that have been found. UL will add advice on existing and additional recommended security controls to mitigate identified risks.