Source code analysis
The root of your cybersecurity.
What is source code analysis?
How do hackers do it? How do they get access to the most secure and hardened servers and steal crucial information? Even with high encryption keys and very tight firewalls, hackers still manage to hack their way through to critical data, most of the time by pushing the code to its limit. It is often possible to make server code behave in a way that the developers did not plan for, expose internal server information (e.g. password files), or execute third party malicious code, all without breaking any of the encryption and security schemes on the server.
Our team members are themselves experienced developers, and by using tools and manual investigation it is possible to locate areas in the code that might be exposed to exploitation and faulty user input validation.
Why perform source code analysis?
It is commonly accepted that security by obscurity is bad practice. This means that hoping that attackers will not see a hole in your software is not a good security strategy. Instead, finding and plugging these holes to prevent data breaches is a far better long term plan.
While it is possible for our team to try and discover these holes without any prior knowledge of the web application (black box testing), it can be more efficient to share the source code upfront, so that the teams can focus on the crucial job of fixing the holes instead of trying to guess where to find them.
The good news is that external source code reviews have been proven to deliver immediate actionable results in over 95% of cases.
Your security is our concern.
Silent Breach understands that your source code, Intellectual Property, and confidential data are your business.
To protect these valuable assets while we inspect them, all of our client communication is encrypted using enterprise-grade algorithms.
Moreover, our customer reports are stored off-line, and we make sure that every step of the process is secured end-to-end so that no source code is ever exposed.
Finally, the source code analysis and review can be restricted to the portions of the code that handle critical operations, such as querying databases or handling user sessions. Wherever necessary, we can limit our review to the sensitive segments of your applications' operations.
Silent Breach is the only major cybersecurity company that will refund you your deposit if we are unable to discover major security flaws in your code. That's how confident we are in our team, our methodology and our client satisfaction.
Web Application Source Code Review
Because web applications are the number one threat in terms of remote penetration, we recommend a full source code review that covers all of the OWASP Top 10 and SANS Top 25 issues.
Web applications are by far the most exposed elements; mainly because part of these applications are executed on the user's browser where it can be changed at will to abuse the server side code.
By design, web applications must share source code with the user in order to execute in the user's browser. With JavaScript being a scripted language, it can be accessed, if not obfuscated, very easily, to analyze and understand your application's logic.
Types of Source Code Analyses
Web Applications
Web applications are by far the most difficult security challenges out there. Extra precautions need to be taken to sanitize user input, and make sure queries are legitimate.
We use the OWASP methodology to track down potential problems in the code, and to secure your application.
Compiled Code
Attacking a network at the system level usually requires exploiting compiled code, breaching into system services, or kernel device drivers.
System breaches can be prevented by keeping your systems updated with the latest patches, but it doesn't prevent new flaws from being found on deployed systems.
Interpreted Code
System scripts are a vital part of a server, and can be abused just like web applications or compiled code.
The shellshock bug, for example, was discovered in the bash shell environment, showing that security holes can reside in a system for years before being uncovered. In fact, it might have been exploited a long time before it went public.
Databases / SQL
Databases are everywhere, come in different shapes and sizes, and are a vital component of many businesses. They often contain sensitive information such as passwords or other personal records.
Database misconfigurations or weak security access can expose your sensitive data, while remaining undetectable.
Tier Testing
| Tier | 1 / Web app | 2 / Compiled code | 3 / Interpreted code | 4 / Databases / SQL | 5 / Full coverage |
|---|---|---|---|---|---|
| Duration - Tier 1 | 2 business days | 3 business days | 2 business days | 3 business days | 2 weeks |
| Duration - Tier 2 | 3 business days | 5 business days | 3 business days | 4 business days | 3 weeks |
| Duration - Tier 3 | 5 business days | 5 business days | 5 business days | 5 business days | 4 weeks |
| Duration - Tier 4 | 7 business days | 8 business days | 7 business days | 8 business days | 6 weeks |
| Duration - Tier 5 | 10 business days | 10 business days | 10 business days | 10 business days | 8 weeks |
| Cost | Please request cost sheet | Please request cost sheet | Please request cost sheet | Please request cost sheet | Please request cost sheet |
Security Packages
| Bronze | Silver | Gold | Platinum | Diamond | |
|---|---|---|---|---|---|
| Duration | Quarterly Tier 1 tests | Quarterly Tier 2 tests | Quarterly Tier 3 tests | Quarterly Tier 3 tests + bi-annual Tier 4 tests |
Quarterly Tier 4 tests + bi-annual Tier 5 tests |
| Average savings | 10% | 15% | 20% | 25% | 30% |
| Cost | Please request cost sheet | Please request cost sheet | Please request cost sheet | Please request cost sheet | Please request cost sheet |