Process for Undertaking a Secure Code Review
With a hands-on approach to conducting a Secure Code Review, we focus on identifying valid security deficiencies within the target application, right at the code level, based on the OWASP Secure Code Review standard.
Secure apps start with secure code.
Deploy robust, secure code.
Leverage learning through expert interaction.
Secure apps start with secure code.
Deploy robust, secure code.
Leverage learning through expert interaction.
Our Owl’s Flight Route
Our Owl’s Flight Route
Step One: Scoping of the Engagement
The scope of the engagement is determined based on the number of lines of code (LoC) and the programming language. This helps us assess the associated work effort required to complete the engagement.
Step Two: Project Kick-off Call
OwlEye project managers will organize a project kick-off call with our Security Analysts and your relevant stakeholders to obtain an overview of the application environment, business logic, and current technology used.
Step Three: Access Code Repository
The code repository is provided as per the scope of the assessment. We request that you transfer the source code to us in a secure and compliant manner that exists within your organization, or we can provide you with a secure area where you can upload the code. Alternatively, we can access your software’s environment.
Step Four: Static Application Securiy Testing Scan
OwlEye conducts an initial scan of the source code. This will give us an overall perspective on security hygiene, helping us understand the lay of the land and identify any missing dependencies within the provided source code.
Step Five: Manual Secure Code Review
Our certified Security Analysts manually review the source code line by line, documenting and reporting observations and findings. This is the most substantial part of the engagement.
Step Six: Executive Summary and Findings Review Report
Submission of the high-level and detailed findings report to the executive team and developers. They identify false positives, emerging patterns, and security deficiencies and vulnerabilities by carefully examining each aspect of the code’s functionality.
Step 7: Virtual Findings Review
A virtual review session will be held with your development team and relevant project stakeholders. During this session, we will discuss the proper interpretation of the document, review the executive summary, and then meticulously examine the details of the findings. This approach will facilitate collaboration with your developers and our security analysts to triage and remediate the identified vulnerabilities.
Step 8: Retesting (Optional)
Once the identified vulnerabilities have been remediated, you can engage OwlEye Security Analysts to retest and validate that your remediation efforts have been successful. Upon successful remediation, OwlEye will issue a Security Certificate to your organization as proof of your commitment to the security of your application.
Step 9: In-House Remediation (Optional)
You can engage the OwlEye web development team to remediate the identified vulnerabilities.
We Tailor to Meet Your Unique Requirements
What’s included with your OwlEye Secure Code Review
- Security Analyst-Led Manual Secure Code Review – A manual, line-by-line review that documents and reports observations and findings.
- Static Application Security Testing Scan – A scan of the source code to provide an overall perspective on the security hygiene. This helps to understand the overall security landscape and identify any missing dependencies within the source code.
- Executive Summary – A high-level overview of the application’s security posture.
- Findings Review Report – A comprehensive, detailed analysis of security issues for a technical audience.
- Virtual Findings Review with Security Analysts – A detailed walkthrough of the reported findings, led by our Security Analysts, for the education and benefit of your programming teams.
Maximize your security with optional Add-Ons
- Retesting (Optional) – A retest to ensure that remediation efforts have effectively resolved any security vulnerabilities.
- Security Certificate (Optional) – Issued upon validation that the identified vulnerabilities have been successfully remediated.
- Remediation (Optional) – OwlEye Secure Code Developers can be engaged to address the identified vulnerabilities.
What’s included with your OwlEye Secure Code Review
- Security Analyst-Led Manual Secure Code Review – A manual, line-by-line review that documents and reports observations and findings.
- Static Application Security Testing Scan – A scan of the source code to provide an overall perspective on the security hygiene. This helps to understand the overall security landscape and identify any missing dependencies within the source code.
- Executive Summary – A high-level overview of the application’s security posture.
- Findings Review Report – A comprehensive, detailed analysis of security issues for a technical audience.
- Virtual Findings Review with Security Analysts – A detailed walkthrough of the reported findings, led by our Security Analysts, for the education and benefit of your programming teams.
Maximize your security with optional Add-Ons
- Retesting (Optional) – A retest to ensure that remediation efforts have effectively resolved any security vulnerabilities.
- Security Certificate (Optional) – Issued upon validation that the identified vulnerabilities have been successfully remediated.
- Remediation (Optional) – OwlEye Secure Code Developers can be engaged to address the identified vulnerabilities.
Reach out to us for a personalized consultation.
Every application and business is unique. We’ll help you identify a solution and price that is tailored to help your organization succeed.
Reach out to us for a personalized consultation.
Every application and business is unique. We’ll help you identify a solution and price that is tailored to help your organization succeed.