Developing software, whether it is a next generation mobile app, a web application or an internal traditional platform is a core activity for some organisations. For some, a Commodity Off The Shelf (COTS) application just does not exist to meet their specific needs, for others developing software is the core business activity as their end product is a COTS applications.
The source code developed is valuable intellectual property and needs to be protected, but the data that the source code allows access too, whether it is internal to your business or your customers data, is even more valuable. This is why it is vital that any source code developed is reviewed by a security expert.
Applications exposed to the Internet are always high risk. There have been many examples in the press recently that demonstrate the need for developing secure code. Whether victim of a direct attack such as an SQL injection or cross-site scripting where XSS enables attackers to inject client-side scripts into web pages, the risks are all too apparent.
There are also common back doors that attackers have used successfully, they include such exploits as gaining access to a GitHub account and obtaining credentials required to extract valuable data or exposing credentials to data repositories such as an S3 bucket by including them natively within the code. There are also many threats from within, It could be a knowledgeable staff member with the right access downloading a copy of your data and uploading it into a cloud storage account or an attacker who penetrates your network (often un-detected) and then uses an established attack such as privilege escalation or exploits a vulnerability then available to them.
Quorum Cyber is one of the few cyber security specialists that also has a development function that understands these risks better than most. We have developed our own source code that underpins our Big Red Button platform (bigredbutton.io). This has given us a unique view of secure code and how to spot the vulnerabilities that a potential attacker could exploit.
The deliverables of this service are –
1. Project kick-off workshop to finalise scope
2. A workshop with the key stakeholders and senior developers to understand the application
3. Information gathering stage including –
- Vulnerability scan of the application in scope
- Scan and review of the source code in scope
4. A detailed report containing the following sections:
Executive Summary –
Source Code Review summary
- Key recommendations
- Summary of results
Detailed report covering the following areas –
- Source code vulnerabilities –
- External threats
- Internal threats
5. A review workshop with key stakeholders and senior developers to reviewing findings and recommendations.