Source Code Review

The analysis of source code from a security perspective has traditionally been an expensive and time consuming proposition for many enterprises. Xiphos Research believes that secure code review services should be within reach for all enterprise environments, without impacting unrealistically upon either the economic or time demands of modern business.

The code review services we offer provide a cost effective and rapid means to be assured of the security posture of applications (whether developed in house or by third parties). Unlike some of our rivals we do not offer a service solely dedicated to providing our clients with an 'overview' or other 'high level' understanding of the security or otherwise of custom code bases, rather we believe in line analysis by our expert staff, can provide far more value than merely conducting interviews with development staff, and reviewing documentation.

The human analysis of source code by experienced professionals delivers best value to our clients. Although we will be the first to admit that we deploy a variety of off the shelf and custom applications to assist in the code review process (indeed, we are currently developing applications to assist developers in finding security deficits in their code) it is our assertion that senior software engineers and security specialists manually reviewing code can help minimise a variety of security threats, as well as optimising the code base. This is especially pertinent in the case of applications developed in custom language sets, or legacy applications that may not be supported by automated code review tools.

To adequately review enterprise level applications manually, and on a line by line basis within an acceptable time frames and economic limitations is no easy proposition. To deliver best value to our diverse global client base, we have developed a unique and proven three stage approach to conducting secure code reviews, namely:

  • Consultation - During this phase of an engagement, we seek to leverage any information that may exist to help identify any potential areas of critical security impact, as well as gathering a clear scope of what our client acceptable levels of risk are, and what their project scope is

  • Mapping - This stage of a project, allows our staff to gain a detailed understanding of the application architecture, components and dependencies, as well as identifying areas of security related functionalities, and potential areas of weaknesses.

  • Review - Following an initial mapping of the application and supporting architectures, technical specialists conduct a detailed review of the application source code using both manual techniques, as well as proprietary code analysis tools to identify security weaknesses and logical flaws that may impact upon the security and integrity of the application solution.

For additional information or assistance with our secure code review services, contact us.