Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment.
Our Security code review experts test and ensure that application developers are following secure development techniques. A general rule of thumb is that a penetration test should not discover any additional application vulnerabilities relating to the developed code after the application has undergone a proper security code review.
Our security code reviews are a combination of human effort and technology support. At one end of the spectrum is an inexperienced person with a text editor. At the other end of the scale is our security expert with an advanced static analysis tool.
Tools are used to perform this task but we always ensure human verification. Tools do not understand context, which is the keystone of security code review. Tools are good at assessing large amounts of code and pointing out possible issues, but TransICT experts verify every single result to determine if it is a real issue, if it is actually exploitable, and calculate the risk to your enterprise.
Our security reviewers are necessary to fill in for the significant blind spots where automated tools simply cannot check.