Secure Code Review Services

To obtain the most comprehensive results and minimize risk, this level of analysis employs automated source code static analysis to identify a preliminary set of vulnerabilities, followed by a full manual analysis of the source code searching for types of vulnerabilities which are not reliably found through automated tools.

This deep-dive process is most appropriate for commercial applications that have the highest security requirements, such as applications that process a large volume or high-value financial transactions. Comprehensive assessments ensure the lowest level of residual risk.

Design

• Architecture and Design documentation is complete
• User and role/access based privileges are documented
• APIs are well partitioned into public and restricted
• Security is layered - each layer assumes other layers may have been compromised
• Security design covers all 8 principles of security: authentication, authorization, confidentiality, message integrity, data integrity, availability, non-repudiation
• Sensitive data has been identified

Authentication and Cookie Management

• User credentials are encrypted in the data store
• Security policies are configurable (not hardcoded)
• Standard security frameworks are used (instead of custom code)
• SSL is used to protect user credentials and authentication tokens
• Authentication cookies are not persisted
• Authentication cookies are encrypted
• Cookie names and paths are used
• Application handles user management events such as authentication failure, password reset, password change, account lockout and cancel account
• Application handles suspicious events such as multiple failed login attempts, session replay and attempted access to restricted resources
• Strong passwords policies are enforced
• Authentication credentials are not passed by HTTP GET

Authorization

• Authentication and authorization should be the first logic executed for each request
• Authorization checks are granular (page and directory level)
• Deny access to pages and data by default
• Re-authenticate for requests that have side-effects
• ACLs are configured for all files
• Authorization based on clearly defined roles
• Authorization works properly and cannot be circumvented by parameter manipulation
• Authorization cannot be bypassed by cookie manipulation

Data Validation

• All external input is validated without exception
• Where possible input is restricted to known good chars
• Data is validated server side (security should not rely on client-side validations)
• Application validates numerical input and rejects unexpected input
• Application efficiently evaluates input length
• Strong separation between data and commands
• Strong separation between data and client side scripts
• Data should be checked for special characters before being passed to SQL, LDAP, OS and third party commands
• Http headers are validated for each request (e.g. referrer)

Cryptography

• Sensitive data has been secured in memory, storage and transit
• Restricted areas require SSL
• Sensitive information not passed to/from non-SSL pages
• Proper SSL set up
• SSL provider supports only strong algorithms
• Web based admin tools require SSL
• Decryption services protected by authentication/authorisation
• Require SSL for login page
• Securely store cryptographic keys

Session Management

• No session parameters passed in URLs
• Session cookies expire in a reasonably short time
• Session cookies are encrypted
• Session data is being validated
• Private data in cookies is kept to a minimum
• Application avoids excessive cookie use
• Session id is complex
• Session storage is secure
• Application properly handles invalid session ids
• Session limits such as inactivity timeout are enforced
• Logout invalidates the session
• Session resources are released when session invalidated

Error/Exception Handling

• When exceptions occur the application fails securely
• Error messages do not reveal sensitive information
• System errors are never shown to users
• Resources are released and transactions rolled back when there is an error

Logging & Monitoring

• All user / system actions are logged
• Sensitive information is not logged (e.g. passwords)
• Logging for user management events (e.g. password reset)
• Unusual activity such as multiple login attempts are logged
• Logs have enough detail to reconstruct events for audit purposes
• Logging is highly configurable (logging levels)

General/Security Misconfigurations & Business Logic Flaws

• Proper configuration of frameworks such as Spring, Struts, .NET etc..
• Libraries are up-to-date
• System calls have their return status checked
• Efficient memory usage
• No exposures to buffer overruns
• Code, services, commands and processes are executed using minimal privileges (least privileges)
• Code has no back doors
• Debugging code and test harnesses have been removed