Our new SANS research takes you inside the minds & methods of modern adversaries. Get the report ›
A Secure Code Review (SCR) identifies vulnerabilities in the design and implementation of an application through examination of the application’s source code, configurations, and external component dependencies. Using the OWASP Code Review Guide to direct and inform the secure code review, a combination of manual and automated techniques is used to identify vulnerabilities at the code level.
Our SCR service can be bundled or combined with any of our other Application Security services to add additional coverage depth or deep analysis where required.
Secure Code Review offers advantages over other testing approaches:
While virtually all software development life cycles include some form of testing and validation, secure code review often takes a backseat to looming deadlines. SAST offers a low-barrier, repeatable, and scalable way to identify security flaws, but yields high volumes of false positives and negatives. Manual code review is critical to validating findings and uncovering additional flaws that are missed by automation, but comes with tradeoffs of its own – namely, speed, scalability, and repeatability.
So, how can DevOps teams get the best of both worlds while scaling to meet the demands of ongoing development sprints? Watch this webcast for an in-depth look at how to integrate both automated and manual code review into the SDLC.
We review the source code of apps because it is the most comprehensive way to understand the full security posture of an application in context. Our experts provide rich insights to help you hone your ongoing processes, as well as dive deep into your code so you can be confident you've addressed any potential issues.
Using proven manual methods, we can catch business code-level security issues before apps move to production. Our methodologies uncover flaws in the following categories: data validation, authentication, session management, authorization, cryptography, error handling, logging, security configuration, and network architecture.
We help you understand the true business impact of vulnerabilities, enabling you to confidently prioritize and operationalize the findings and ensure you're focused on the right items.
Our SCR engagements pair extremely well with our Architecture Security Assessments (ASA) and Threat Modeling service to provide a complete and in-depth assessment of the security threats your application faces.
Source code exposes issues other approaches miss. Through targeted manual examination of source code, our consultants can identify edge cases and vulnerability classes that are difficult to find with automated code scanning or dynamic testing.
Our consultants will pinpoint issues down to the affected module and line of code to provide more accurate remediation information and enabling faster, more complete mitigation of identified vulnerabilities.
Our consultants have experience as former developers in popular programming languages such as Java, C#, Python, and C/C++. We can even assess newer languages such as Rust and Go.
Our consultants have actively engaged and contributed to the security industry by speaking at security conferences and conducted training related to source code review.
Managing Security Consultant at Bishop Fox
|Chris Bush is a managing security consultant at Bishop Fox. He has extensive experience in IT and information security consulting and solutions delivery, providing expertise in application security, including the performance of security assessments, security code reviews and penetration testing of client applications as well as development of security testing processes and methodologies.
Having been a contributing member of the information security community for many years, Chris has served as a volunteer for OWASP as a Technical Project Advisor, as an officer of the (ISC)2 Cleveland Chapter and has spoken at a variety of regional and national security conferences and user group meetings on subjects including secure coding, threat modeling, and other topics in software security. At Bishop Fox, Chris has been instrumental in creating application security thought leadership. He has authored blog posts on threat modeling in DevSecOps as well as the importance of secure code review in DevSecOps. Additionally, he has co-hosted webcasts focused on application security.
Chris is a Certified Information Systems Security Professional (CISSP) and holds a Bachelor of Science in Computer Science from the State University of New York at Buffalo and a Master of Science in Computer Science from the State University of New York at Binghamton.
We'd love to chat about your offensive security needs. We can help you determine the best solutions for your organization and accelerate your journey to defending forward.