Source Code Review

Tangible Security’s Source Code review provides security review of selected source code to analyze and check for security vulnerabilities. 

Without a code review, some vulnerabilities are very difficult to detect through other testing methods.  Following a code review, the client will have assurance that security best practices are considered during software development.

What is a source code review?

A secure code review is an in-depth analysis of the source code of an application. It’s done to identify vulnerabilities in the code, security risks, logic errors, style guidelines, and more. Here at Tangible Security, we utilize a mix of automatic and manual scans to determine any weaknesses in the application code.

Our Security Code Review Services include:

Establish Test and Build Environment

The automated analysis tools require a working build structure in order to determine the dependencies, resolve pre-compilation statements, and create data. Tangible Security works with the customer to recreate a working environment for the test.

Perform Automated Security Analysis

The static analysis tools are run for each build environment. The result of the analysis is typically a large list of potential issues that must be triaged. Additionally, the rulesets that are run against the code may require modification to get the best coverage.

Perform Manual Security Analysis

While static analysis tools are very effective at reducing the overall amount of time required to analyze the code, manual analysis is still required to check the areas of code with the most risk. For example, areas that directly accept input, render pages, and access databases or filesystems, require manual analysis to augment the results for a more comprehensive result. The manual analysis is more surgical in its approach to evaluating the software. Additionally, the manual analysis works more closely with the running environment for verifying the issues.

Confirm Findings

The findings are manually evaluated to determine their validity. The static analysis tools perform a rule-based approach to analyzing the software, but they often return invalid results that must be filtered. The consultant puts eyes on the code and evaluates the trigger conditions to determine whether they should be filtered.

Tangible Results

  • Certified cybersecurity professionals provide a hacker’s point of view
  • Finding vulnerabilities
  • Tailored testing to areas that matter most to your organization
  • Full report with executive summary, exploits and remediation guidance

Get In Touch Today