quora Secure Code Review | Kratikal

HOW IT WORKS

info
1 Reconnaissance

We do an information gathering here. An inspection of the actual running application is quite mandatory to give the review team an insight about how the application is intended to work. Also, a brief overview of the structure of codebase and any libraries that are being used can help the review team to get started.

info
plan plan
2 Threat Assessment

Conducting a threat assessment to better understand the application’s architecture. These threats will be listed as the vulnerabilities that we will prioritise during the code review. The critical applications for the organization shall be identified and threat assessment will be conducted for set of applications.

plan
3 Automation

During automation the code review is done with the help of different commercial/open source tools. Automated tools are widely used in analysing large codebase having millions of codes line enhancing the throughput of the code review process. They are capable of identifying all the insecure packets of code in the database which can further be evaluated by the developer or any security analyst.

plan
pen pen
4 Manual Code Review

Manual code review is the only way that several key security controls can be verified including access control, encryption, data protection, logging, and back-end system communications and usage. Also, a manual review is impoant in tracing the attack surface of an application and identifying how the data flows through an application from its sources to its sinks. Going through the code line by line is expensive but it gives better clarity of the code and also helps in removing the false positives.

report
5 Confirmation & POC

After the automated and manual review is done, we create a thorough confirmation on the possible risks that were discovered and what are the possible fixes that can be used to patch a particular vulnerability existing in the codebase

report
meeting meeting
6 Reporting

When all the above steps are completed, we put every finding in a report in an understandable format. We put every issue in the code and the patching solution against it. The issues and recommendations are discussed between the client’s development and Kratikal’s security team and accordingly development team fixes it.

ADVANTAGES

  • Easy bug detection by in-depth code analysis to get faster results.
  • Detect vulnerabilities that are missed by automatic code scans by using our manual code reviews and succeed in spotting insecure coding practices.
  • Get a detailed report including analysis of all the code lines with issues to get an insight of the strengths and weaknesses of your codebase.
  • Suggest precise solutions and recommendations customized for your developers with code level suggestions.
  • Satisfy industry regulations and compliance standards like PCI DSS and HIPAA.
scrolltopimage