Security Code Review

Many security problems can not be identified “from the outside”, e.g. with an pentration tests, but by assessing the source code. Tools that perform static or dynamic code analysis (SAST, IAST) can help here a lot, but even these technologies are not able to identify all security problems that can exist in the programm code. It is therefore vital to conduct also manual security code reviews of programm code with high security protection requirements.

As part of this activity, we are performing a variety of different assessments, e.g:

  • Correctness of input validation and output encoding
  • Insecure APIs or API calls (e.g. OS calls)
  • Correct use of security APIs (e.g. cryptogaphie)
  • Insecure or missing access controls
  • Identification of race conditions
  • Additional hardening possibilities