Application Security Assessment
For security-critical applications, a source code review provides in-depth analysis of the application’s security posture and uncovers vulnerabilities that are often missed by “black box” testing alone. AppSec Consulting’s employees come from a variety of software development backgrounds and will use their security expertise to uncover your application’s security flaws at the source.
In addition, if you’ve purchased a source code analysis tool for your employees and they are struggling to use it effectively, AppSec Consulting can help by providing hands-on training and assistance. This includes assistance in how to use the tool as well as guidance on how to remediate vulnerabilities identified by the tool. Sometimes code review tools output a massive quantity of data and it’s difficult to know where to start. We can work with you to prepare a strategic remediation plan that prioritizes your efforts and helps to eliminate large groups of vulnerabilities at a time.
The AppSec Consulting Difference
- Our security professionals are expertly trained and they maintain substantial software development experience allowing them to understand the intent of the underlying application program code.
- We combine the use of top-of-the-line commercial code scanning tools with expert human analysis to provide you with a comprehensive picture of your application’s security posture.
- Our reporting differentiates us from the competition - you'll receive a custom-written report containing expert advice tailored to your business, not just automated source code analysis results. Instead of information overload we’ll help you prepare a practical remediation plan.
- We're with you every step of the way throughout the remediation phase.
- We can train your in-house developers and QA analysts on how to effectively use source code analysis tools as part of their normal QA process.
- Preparation – AppSec Consulting’s security engineers will meet with key members of your development team to gain an understanding of the application’s functionality, design, and architecture, and to obtain access to the source code.
- Source Code Scanning – AppSec Consulting will scan your entire codebase to identify technical vulnerabilities in all areas of the application. This scanning process normally requires significant fine-tuning and configuration in order to reduce false positives and provide you with actionable results. The entire scan configuration process is documented so that your own developers can repeat this scanning process later if needed.
- Manual Source Code Review – The source code for security-critical features of the application is reviewed manually, with a focus on areas that typically carry the most risk – for example, authentication, authorization, session management, and payment processing code. In addition, any potential but unconfirmed issues that were identified by the scanner are investigated and validated.
- Report Preparation – AppSec Consulting takes the results of both the automated source code analysis and manual review and compiles a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each finding that was identified.
What You Get
- An actionable, custom-written Source Code Security Analysis Report, which describes the application's security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.
- Expert consultation throughout the remediation phase.
- Two rounds of remediation testing within 6 months of the initial source code review to ensure that all issues are effectively remediated.