We do an information gathering here. An inspection of the actual running application is quite mandatory to give the review team an insight about how the application is intended to work. Also, a brief overview of the structure of codebase and any libraries that are being used can help the review team to get started.
Conducting a threat assessment to better understand the application’s architecture. These threats will be listed as the vulnerabilities that we will prioritise during the code review. The critical applications for the organization shall be identified and threat assessment will be conducted for set of applications.
During automation the code review is done with the help of different commercial/open source tools. Automated tools are widely used in analysing large codebase having millions of codes line enhancing the throughput of the code review process. They are capable of identifying all the insecure packets of code in the database which can further be evaluated by the developer or any security analyst.
Manual code review is the only way that several key security controls can be verified including access control, encryption, data protection, logging, and back-end system communications and usage. Also, a manual review is impoant in tracing the attack surface of an application and identifying how the data flows through an application from its sources to its sinks. Going through the code line by line is expensive but it gives better clarity of the code and also helps in removing the false positives.
After the automated and manual review is done, we create a thorough confirmation on the possible risks that were discovered and what are the possible fixes that can be used to patch a particular vulnerability existing in the codebase
When all the above steps are completed, we put every finding in a report in an understandable format. We put every issue in the code and the patching solution against it. The issues and recommendations are discussed between the client’s development and Kratikal’s security team and accordingly development team fixes it.