Source Code Audit
Source code audit allows maximizing the results and the vulnerability detection rate. During this process we’ll be granted an access to the source code of the target software.
Special static code security scanners are used, as well as manual analysis. The scanners helps to detect the most frequent and simple mistakes. Manual analysis reveals more complex vulnerabilities, business logic errors, etc. Architecture of the application and interaction between its components is also analyzed.
Application Analysis (without source code)
Black/Grey Box analysis of applications can determine the level of security in real-world conditions or close to it using different models of violators.
Scope of analysis includes web-applications (internet banking, remote banking services, etc.), server software (banking software, credit card processing software, etc.), desktop applications (thin and thick clients, etc.), mobile applications (mobile banking, authentication, OTP, utilities, games, etc.).
Analysis of applications can be conducted using different methods: penetration testing, fuzzing, reverse-engineering. Apart from searching for technical vulnerabilities, architectural and business-logic flaws are also searched for.
Web Application Analysis
Web application compromise can lead to availability violation, data corruption, breach of confidentiality and, consequently, reputational and financial losses.
The web application security assessment isn’t limited to searching for standard types of vulnerabilities (such as OWASP Top 10 list) and publicly reported vulnerabilities in the third-party software (such as libraries or frameworks).
Business-logic of the application, which can contain specific vulnerabilities, is also audited. Special attention is paid to the financial applications, such as internet banking, payment systems, etc. Threat model for such applications considers the risks of illegal financial transaction or personal data leakage.
In case if web application server is integrated into the corporate network, special attention is also paid to the vulnerabilities, which allow to gain access to the internal network resources.
Security Development Analysis
During this type of audit secure development maturity level is examined, weaknesses and possible ways of improvement are determined. Audit can be conducted in the form of compliance check for well-known methodologies and standards (MS SDL, PA DSS, etc), as well as in the form of expert evaluation, giving a detailed picture of development process security.
Audit is performed via examining the documentation, interviewing employees, process observation, configuration check.