Evaluate the security of your application through code auditing
The purpose of code auditing is to look for vulnerabilities in the source code of an application.
These vulnerabilities can be of several types: design errors or development errors.
Design problems can result from session management problems in web applications, allowing an attacker to steal a user’s session or identity.
Development problems can result from input processing problems in web applications, allowing code to be executed at the database or server operating system level.
Through its code audit, ITrust analyses how the application was designed and how the code was developed. The main method is the manual code reading. By following the data flows in the program, the processing functions are analyzed to assess their adequacy to the confidence level of the input and output processed data.
Open source applications of static code analysis can be used to find the most common errors such as buffer overflows, format strings, time of check/time of use, and so on. In all cases, manual analysis is required to eliminate false positives.
In order to be as exhaustive as possible on the different types of vulnerabilities, ITrust uses different repositories including the following two main ones:
- Secure Programming for Linux and Unix HOWTO : Creating Secure Software
- OWASP Top Ten Project
Wherever possible, the severity of the flaw is assessed, ranging from “not exploitable” to “taking total control of the server” or “theft of confidential information”.