A manual secure code review is a process where a human reviewer, typically a security expert or a software engineer with security training, examines the source code of a software application to identify security vulnerabilities, flaws, or weaknesses.
Helpful answers to Frequently Asked Questions
What is 'White Box Testing'?
In the context of secure code review, white-box testing is a method where the tester has full visibility of the software’s source code. This access enables a comprehensive analysis of the code’s structure, logic, and potential security vulnerabilities.
The tester leverages this information to thoroughly understand the software’s data processing and operational mechanisms, facilitating a more effective and targeted review of the code’s security aspects. This method is integral to identifying and rectifying security flaws, ensuring the robustness of the software against potential threats.
This approach contrasts with black box testing, where the tester only has access to the software’s external interfaces and no knowledge of its internal workings.
Why do you need a secure code review?
Incorporating a secure code review early in the development cycle is crucial as it diminishes the time developers need to fix security flaws. Even skilled programmers can introduce multiple errors, so a thorough code review is a vital measure to protect your business from covert code problems.
Are any Static Application Security Testing (SAST) tools involved?
OwlEye employs a dual-method approach for code reviews, utilizing both hands-on manual and automated scanning tools analysis to effectively detect security weaknesses within the source code.
What programming languages can you review?
Our specialists offer services that cater to everything from antiquated systems to specialized software stacks and rare programming languages. No code base is too outdated or complex for our team. Here are some examples: link here
How many Lines of Code (LoC) are you capable of reviewing?
Our specialist review code from a few hundred LoC’s into the millions. No code base is too vast or complex for our team.
How can I determine the number of Lines of Code (LoC)?
Lines of Code can be calculated using the Cloc tool: https://github.com/AlDanial/cloc. Please don’t hesitate to reach out if you need further assistance.
Do you remediate the identified findings?
No, not as part of a SCR. Our reports will provide you with clear guidance to remediate any identified vulnerabilities. As a separate service, OwlEye Secure Coders can be retained for development purposes including remediation.
What best practices does OwlEye adhere to?
OwlEye follows enterprise security procedures for our SCR service. We align with the OWASP secure code review standard. We have policies and procedures that align with SOC2 and ISO27001 for our internal and client information security.
How is pricing determined?
OwlEye has simplified the process for you. It’s determined by the number of lines of code. Unless the language is rare, this would be an exception as a thorough review would take longer.
You can obtain the number of lines of code using the cloc tool: https://github.com/AlDanial/cloc.
Reach out if you need any assistance!
How often are secure code reviews conducted?
The frequency of secure code reviews can vary depending on the specific needs and preferences of our clients. Some clients opt for routine testing, scheduling code reviews either once or multiple times per year. This regular schedule is particularly beneficial for maintaining consistent security standards and catching potential issues early.
Other clients may prefer to conduct secure code reviews as needed, often aligning them with major code deployments or significant updates. This approach ensures that new or significantly altered code is thoroughly vetted for security vulnerabilities before going live.
We also offer incentives for routine or multi-year engagements. Engaging in regular secure code reviews not only helps in maintaining a high security standard but may also provide cost-effective solutions and prioritized scheduling benefits. Whether it’s a fixed schedule or on an as-needed basis, our goal is to provide flexible and comprehensive security solutions tailored to each client’s unique requirements.
Do you provide educational services?
Yes, our service includes an educational element. The findings, led by our Security Analysts, are presented for the learning and benefit of your programming teams and to enhance your overall security state. This educational approach is designed to empower your developers with the knowledge to improve security practices and write more robust, secure code going forward.
Can you work outside of regular business hours?
Yes, OwlEye’s team is available to review our clients’ applications 24/7 if needed.
What certifications do your security resources possess?
Our team of security professionals have numerous security certifications including: OSCP, CISSP, CISM and CEH.
What security clearance level do your resources possess?
OwlEye’s employees must all obtain “SECRET” clearance from the Federal Government of Canada.