Source code analysis

The root cause.

What is source code analysis?


How do hackers do it? How do they get access to the most secure and hardened servers and steal crucial information? Even with high encryption keys and very tight firewalls, hackers still manage to hack their way through to critical data, most of the time by pushing the code to its limit. It is often possible to make server code behave in a way that the developers did not plan for, expose internal server information (e.g. password files), or execute third party malicious code, all without breaking any of the encryption and security schemes on the server.

Our team members are themselves experienced developers, and by using tools and manual investigation it is possible to locate areas in the code that might be exposed to exploitation and faulty user input validation.

image

Why perform source code analysis?


It is commonly accepted that security by obscurity is bad practice. This means that hoping that attackers will not see a hole in your software is not a good security strategy. Instead, finding and plugging these holes to prevent data breaches is a far better long term plan.

While it is possible for our team to try and discover these holes without any prior knowledge of the web application (black box testing), it can be more efficient to share the source code upfront, so that the teams can focus on the crucial job of fixing the holes instead of trying to guess where to find them.

The good news is that external source code reviews have been proven to deliver immediate actionable results in over 95% of cases.

Your security is our concern


Silent Breach understands that your source code, Intellectual Property and confidential data are your business.

To protect these valuable assets while we inspect them, all of our client communication is encrypted using enterprise-grade algorithms.

Moreover, our customer reports are stored off-line, and we make sure that every step of the process is secured end-to-end so that no source code is ever exposed.

Finally, the source code analysis and review can be restricted to the portions of the code that handle critical operations, such as querying databases or handling user sessions. Wherever necessary, we can limit our review to the sensitive segments of your applications' operations.

Silent Breach is the only major cybersecurity company that will refund you your deposit if we are unable to discover major security flaws in your code. That's how confident we are about our team, our methodology and our approach to security.

image
image

Web application source review


Because web applications are the number one threat in terms of remote penetration, we recommend a full source code review that covers all of the OWASP Top 10 and SANS Top 25 issues.

Web applications are by far the most exposed elements; mainly because part of these applications are executed on the user's browser where it can be changed at will to abuse the server side code.

By design, web applications must share source code with the user in order to execute in the user's browser. WIth JavaScript being a scripted language, it can be accessed, if not obfuscated, very easily to analyze and understand your application's logic.

The different types of source code analysis


Web applications


Web applications are by far the most difficult security challenges out there. The main difficulty resides in having code running remotely in the user's browser, which can be abused to fool the server. Extra precautions need to be taken to sanitize user input, and make sure queries are legitimate.

We use the OWASP methodology to track down potential problems in the code, and to secure your application.

Compiled code


Attacking a network at the system level usually requires exploiting compiled code, breaching into system services or kernel device drivers.

System breaches can be prevented by keeping your systems up to date with the latest service packs and patches, but it doesn't prevent new holes being found on systems that are deployed by the millions.

Interpreted code


System scripts are a vital part of a server, and can be abused just like web applications or compiled code.

The shellshock bug, for example, was discovered in the bash shell environment, showing that security holes can reside in a system for years before being uncovered. In fact, it might have been exploited a long time before it went public.

Databases / SQL


Databases are everywhere, come in different shapes and sizes, and are a vital component of many businesses. They often contain sensitive information such as passwords or other personal records, but securing these assets is often widely overlooked.

Database misconfigurations or weak security access can expose your sensitive data, while remaining undetectable.



Tier testing

Table 1: Tier testing
Tier 1 / Web app 2 / Compiled code 3 / Interpreted code 4 / Databases / SQL 5 / Full coverage
Duration - Tier 1 2 business days 3 business days 2 business days 3 business days 2 weeks
Duration - Tier 2 3 business days 5 business days 3 business days 4 business days 3 weeks
Duration - Tier 3 5 business days 5 business days 5 business days 5 business days 4 weeks
Duration - Tier 4 7 business days 8 business days 7 business days 8 business days 6 weeks
Duration - Tier 5 10 business days 10 business days 10 business days 10 business days 8 weeks
Cost Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet

Security packages


Your network continuously evolves, new security flaws are found daily, and hackers are getting smarter. Protect your business today and tomorrow.
Table 2: Annual protection package
Bronze Silver Gold Platinum Diamond
Duration Quarterly Tier 1 tests Quarterly Tier 2 tests Quarterly Tier 3 tests Quarterly Tier 3 tests
+ bi-annual Tier 4 tests
Quarterly Tier 4 tests
+ bi-annual Tier 5 tests
Average savings 10% 15% 20% 25% 30%
Cost Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet