Application flaws are currently a major cause of web infrastructure compromises. Web applications rarely respect fundamental security rules, and hackers frequently manage to identify and exploit multiple flaws, such as XSS or SQL injections.
An IT security audit lets you be sure your site is impermeable to attacks by identifying vulnerabilities so you can better correct them.
What is an IT security source code audit?
A security audit is based on an exhaustive analysis of your application’s source code.
By studying your application’s lines of code, our IT security experts verify the source code’s viability in two aspects:
IT technical audits:
our security consultants’ goal is to check that best development practices in code production have been respected considering the specificities of the languages used. They will detect the most obvious vulnerabilities present directly in the application and, to a certain extent, in the libraries it uses (when their source code is available).
This verifies that features have been implemented correctly and the related best practices were respected, independent of the language(s) used. Our consultants will also find any logical errors that may result in a security flaw.
This approach finds a maximum number of the most common vulnerabilities while offering a more complete analysis than a penetration test.
Furthermore, to the greatest extent possible, we evaluate that best practices in managing an application’s source code and its version as well as the related documentation that can cause problems are also respected.
Why conduct a code audit of your applications?
The security audit is an important phase when putting an application into production, especially when the data processed is highly sensitive (such as personal data or banking data).
Beyond losing control over one or more of the Information System’s elements, a compromise can have other, much more serious consequences such as a leak of personal data or harm to your company’s image to its clients, leading to a loss of trust and turnover.
The main advantage of a code source audit is to make sure that your applications include the best security practices and do not present IT risks that could result in it being compromised as soon as it goes online.
NBS System’s expertise in IT security
21 years of experience
+ 250 clients in IT security
Creator of CerberHost
Creator of Naxsi
Code source audits: type of analysis and methodology
There are several ways to conduct code source audits, in particular with or without executing the code.
If the code is not executed
Here, each line of code in your application is analysed. Most of the time, our teams begin the audit using an automated programme that quickly identifies any major known flaws. It is true that a purely human analysis of all the code is more complete, but also very long (our experts can audit on average 1000 to 1500 lines of source code/day depending on the language and programme complexity).
After dismissing our automated tools’ false positives, our experts can concentrate quickly on analysing the lines of code that may include a flaw or a lack of best practices.
If the code is executed
In this case, our experts, with and/or without tools, will not study the lines of codes but rather how your programme functions. They will evaluate your application’s behaviour by executing your programme in every possible state to test all scenarios.
However, you should not confuse this with a web security test which can be conducted in addition.
What is a code review?
Do you want to test the security of your site or web application? Generally, your application is based on a language (PHP, for example) which is the basis of the framework or CMS that you use (for example, WordPress, Magento, or Symfony).
Depending on the type of security audit you want to conduct, our security teams will begin by identifying the main “traps” that regularly occur when using your framework.
If “customisations” have been made to the framework’s core, we will base ourselves on a differential between the base version and the modified files so that we do not review all the source code (whose scope would make the process counter-productive). Also, these reviews must be conducted on each “in-house” module that makes up your application to cover the largest scope possible.
After the IT audit, our security experts deliver a complete report of vulnerabilities found with actions to correct them.
When to conduct a source code review?
Ideally, an IT security audit will be conducted before finalising an IT project, i.e. before the acceptance testing phase. Since the acceptance tests are the last step to approving the code the developers have delivered before the final deployment, this is the last chance to correct any vulnerabilities. Our experts can then accompany you in making any corrections to your application before it goes online, greatly reducing your risk of compromises.
If your application is already online, you can conduct a code review at any point in its lifecycle. This type of IT audit is often conducted as part of continuous improvement approaches.
If you have been the victim of a malicious act, fraud or cyber-attack, there is another type of information system audit: the Forensic investigation. This type of IT security audit collects, collates and analyses proof to determine precisely the operating method used by the malicious actor and identify what actions they may have taken on the compromised machine.
Who conducts the IT security audit?
The audit can be conducted in-house if you have staff with the required skills within your teams. However, for complete source code audits, knowledge of the application by in-house staff can lead to errors of judgement. When an outside contractor performs this type of assignment, they will test the application methodically based on their experience and the variety of environments they encountered in the past, resulting in more exhaustive, relevant results.
Our security unit is currently comprised of 10 experts. They make up two teams:
- Certain teams are dedicated to research and innovation projects so that we are always at the forefront of security techniques and discoveries and provide the company and the community with our expertise in open source projects like NAXSI, PHP Malware Finder, Snuffleupagus, and many other projects.
- The other team conducts audits and penetration tests for our clients.
Furthermore, each member of the overall Security Unit is randomly assigned to the SecOps role on a rotating basis. This regular, occasional role also gives our staff various operational assignments and allows them to stay familiar with our clients’ reality.
Where should the IT audit be conducted?
Most of the time, our experts carry out their code reviews in our offices. Our teams being present in your facilities offers no added value to the audit.
Deontology & ethics at NBS System
NBS System saves no data from your IT network (gathered during the test). The vulnerabilities identified during the source code audit will NEVER be (re-)exploited outside of these tests. All the data gathered during the audit will be delivered to you when it is over. The report handed to you at the end of the source code audit is strictly confidential. Of course, it is not shared with other parties, including within NBS System. Only the Security team has access to it.
For more information, contact our sales department