Secure Code Review Audits
Secure Code Review is required by a regulated organisation such as those subject to Payment Card Industry (PCI). For US operations, the following regulations require secure code reviews: Health Insurance Portability and Accountability Act HIPPA (US medical) and Federal Information Security Management Act (FISMA) and Sarbanes-Oxley (SOX).
The Security Code Review includes an audit by an automated Static Code Analysis (SCA) tool and a manual code review by our Security Consultant. The later step is needed as SCA tools often identify a significant number of false-positive and false negative finds in the code. Thus, Consultant review is needed to conduct weeding out, else the recommendations will mislead your Customer’s developers into chasing ghosts.
Checks include searching for various application vulnerabilities including:
- Cross-Site Scripting (XSS)
- SQL Injection
- Formula Injection – Excel Files
- Passwords stored in Clear Text
- Hard Coded Encryption Keys
- Weak Authentication Method – Basic Authentication
- Password Policy
- Exposing Error Messages
- Logout Mechanism
- Sensitive Information Is Stored In Log Files
- Insufficient Transport Layer Protection.
The Escrow London team will scan the entire code base with an automatic tool and will remove the false positive finding. In this test, we will check only a few examples of every vulnerability listed above. No false negative check is conducted.
The Escrow London team will scan the entire code base with an automatic tool and will remove False Positives, False Negatives, Business Process vulnerabilities and more. In this test, we will scan all the code but we will check only a few examples of every vulnerability.
Trusted by Many of the World’s Biggest Companies