Secure Code Review helps identify vulnerabilities in source code of the application during the development phase and allows organizations to fix and address those identified issues before deploying to the real world. ECQ’s DRAMA code review approach offers both static and dynamic code analysis together with exploitation or Proof-of-Concept where possible to provide better severity rating for the vulnerable code block.

DRAMA code review approach contains five different phases: Define, Recon, Analyze, Manual Review, and Advise.

D
Define
R
Recon
A
Analyze
M
Manual Review
A
Advise
1
Define
2
Recon
3
Analyze
4
Manual Review
5
Advise

ECQ works with customer to define the scope of work and gain an overall understanding of the target application such as the type of application, business purpose, the programming languages, and lines of code (LoC). ECQ Consultants also advise the methodology and framework to be used depends on the requirements and scope of work.

Example frameworks used by ECQ for code review service include OWASP Testing Guide V4.2 for Dynamic Application Security Testing (DAST), OWASP Top 10, and OWASP Code Review 2 for Static Application Security Testing (SAST)

ECQ starts to Recon the application to gather more information about its architecture such as framework, libraries, 3rd party components, and dependencies. ECQ also collects data flow diagram and business flow diagram of the applications to further understand how the application processes data and how the data move through different components of the application. Once the architecture and design of the application are understood, the Consultants proceed to identify known issues such as vulnerability and attack vector that are related to the framework or libraries used.

ECQ carries out both automated and manual code analysis in this phase to discover application attack surface and carry out vulnerability analysis based on the results of automated code analysis tools. Through manual application review, the Consultants decompose the application to identify all possible application inputs, configuration, attack vector, access control matrix and roles, and dependencies.

In parallel with manual application analysis, ECQ uses a combination of static and dynamic code analysis tools to perform automated scans of the source code and application. The initial scan of source code using SAST tool allows ECQ Consultants to quickly understand the overview of the application functions and security issues.

DAST tool helps identify vulnerabilities and inputs that are most visible from a Black Box perspective. Combining the results of DAST with manual code review helps ECQ rank the severity and risk of the vulnerable code block with better accuracy.

This phase focuses primarily in manual code review effort by the Consultants. ECQ will thoroughly review the source code to identify vulnerabilities that might not be found or discovered by automated tools. ECQ Consultants follow the checklist and guidelines provided by OWASP Code Review to ensure important and high-risk vulnerabilities are carefully reviewed and tested.

Manual application assessment and code review covers the following categories.

  • Business Logic
  • Data Validation
  • Authentication
  • Authorization
  • Session Management
  • Implementation of Cryptography Service
  • Error Handling
  • Logging
  • Security Misconfiguration
  • Architecture

ECQ manually reviews the results of static and dynamic code analysis from the previous phase to reduce false positive issues and validates the vulnerability by writing exploit or performing a simple proof-of-concept (PoC) attack to demonstrate exploitability of critical or high risk vulnerabilities. This activity helps the Consultants to prioritize the threat better.

This is the final phase of the DRAMA service in which the ECQ works on mitigation measures for the identified issues. All the code snippets, evidences, PoC, screenshots, automated scan reports, and mitigation measures from the Consultants are submitted to ECQ Technical Writer to prepare for the report deliverables.

Page 01
Define