What is Source Code Review?
Source code review, also known as Security Code Review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed to be “self-defending” in its given environment.
Some vulnerabilities may not be uncovered during the process of penetration testing; security code review is the best avenue to uncover those vulnerabilities. Some of these application vulnerabilities may be introduced by the application developer either knowingly or unknowingly, such as application “Easter Eggs”, Logic Bombs, and even Backdoors.
Why LGMS ?
At LGMS, all security code reviews are professionally done in a combination of human effort and technology support.
A heavy emphasis from our part is the qualification of the code reviewer. All of our code reviewers have application development backgrounds and specialize in different programming languages, respectively.
LGMS always believe that Human reviewers are necessary to fill in for the significant blind spots where automated tools simply cannot check.
All security code review reports are 100% meeting the compliance requirements of PCI DSS, Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines, Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide.
What Programming Languages Expertise Do We Have?
As of January 2016, we have reviewed more than 50,000,000,000 lines of code, and the numbers are still growing. LGMS security code reviewers are well versed in the following programming languages:
- Visual C
- Node.JS and commonly used frameworks
- Apex and VisualForce
- Android (Java)
- Objective C
- PhoneGap and commonly used frameworks
A general rule of thumb is that penetration testing should not discover any additional application vulnerabilities relating to the developed code after the application has undergone a proper security code review.