Security Code Review
Many security problems can not be identified “from the outside”, e.g. with a penetration test, but by assessing the source code. Tools that perform static or dynamic code analysis (SAST, IAST) can help here a lot, but even these technologies are not able to identify all security problems that can exist in the program code. It is therefore vital to conduct also manual security code reviews of program code with high-security protection requirements.
As part of this activity, we are performing a variety of different assessments, e.g:
- Correctness of input validation and output encoding
- Insecure APIs or API calls (e.g. OS calls)
- Correct use of security APIs (e.g. cryptogaphie)
- Insecure or missing access controls
- Identification of race conditions
- Additional hardening possibilities