White Box Security Code Audit helps identify vulnerabilities in the source code of the application during the development phase and allows organizations to fix and address those identified issues before deploying the software or applications to the real world. Security code audit often requires the consultants and developers to spend a considerable amount of time to manually review, verify, and ensure security of the developed code.
In order to shorten the amount of time required to perform code audit, ECQ proposed the following approach to code audit.
ECQ proposes to use the OWASP Top 10 security guidelines and OWASP Code Review 1.1 as the core frameworks for all of its code audit activities. In this phase, ECQ will work with the customer to define the actual scope of the code audit and specify which vulnerability category can be audited using automated code analyzer tool, manual review effort, or both.
Vulnerability category that has higher risk impact to the organization or cannot be discovered by conventional code analysis tool (for example, business logic issues) will require ECQ Consultants to spend more time on manual review. For those lower risk technical vulnerabilities, E-CQURITY will perform manual review on top of the results from the automated code analyzer.
This second phase is where ECQ will start to discover application inputs and carry out vulnerability analysis based on the results of automated code analysis tools. ECQ consultants will attempt to reveal tainted inputs, insecure functions and algorithms, unsafe use of SQL statements and so forth.
The initial scan of source code using code analyzer tool allow the Consultants to quickly understand the overview of the application functions and security issues. Moreover, the code analysis tool will allow ECQ Consultants will perform quick manual code review of those high risk vulnerabilities.
This phase focuses primarily in manual code review effort by the Consultants. ECQ will thoroughly review the code based on the previous findings by the code analyzer as well as the items that might not be found or discovered by the tools such as the following:
E-CQURITY Consultants will follow the checklist and guidelines provided by OWASP Code Review v1.1 to ensure important and high risk vulnerabilities are carefully reviewed and tested.
In the Report phase, ECQ will have a final chance to perform final code review report provided by the Consultants. The report writer will gather all code snippets, evidences, PoC screenshots, and scans data from the Consultants to prepare the deliverables.