Source code analysis

The root cause of remote penetration.

What is source code analysis?


How do hackers do it? How do they get access to the most secure and hardened servers and steal crucial information ? Even with high encryption keys and very tight firewalls, hackers still manage to hack their way through to critical data, most of the time by pushing the code to its limit. It is sometime possible to make server code behave in a way the developers did not plan for, such as exposing internal server information (password files for example), or execute 3rd party malicious code, without breaking any of the encryption and security schemes on the server.

Most team members are experienced developers themselves, and by using tools and manual investigation, it is possible to locate areas in the code that might be exposed to exploitation and faulty user input validation.

image

Why perform source code analysis ?


It is commonly accepted that security by obscurity is bad practice, meaning that hoping that attackers will not see a hole in your software is not a good security strategy. Instead, finding and plugging these holes to prevent data breaches, is a better long term plan.

While it is possible for our team to try and discover these holes without any prior knowledge of the web application (black box testing), it can be more efficient to share the source code upfront, so that the teams can focus on fixing the holes instead of trying to do guess work to find them.

Your security is our concern


Silent breach understands that your Intellectual Property and your confidential data is your business. All client communication is encrypted using industry leading algorithms, our customer reports are stored off-line internally, and we make sure that every step of the process is secured so that no source code is ever exposed.

Furthermore, we can analyse and review only the portion of the code that handles critical operations, such as querying databases or handling user sessions. We can limit our review, if required, to the critical phases of the system operations.

image
image

Web application source review


Because web applications are the number one threat in terms of remote penetration, we recommend a full source code review to cover all the OWASP top 10 and SANS top 25 most common problems

Web applications are by far the most exposed elements, mainly because part of these apps are executed on the user's browser where it can be changed at will to abuse the server side code.

The different types of source code analysis


Web applications


Web application are by far the most difficult security challenges out there. The main difficulty resides in having client code running remotely in the user's browser, which can be abused to fool the server. Extra precautions need to be taken on the server side to sanitize user input, and make sure queries are legitimate.

We use OWASP methodology to track down potential problems in the code, to secure your application.

Compiled code


Attacking a network at the system level usually requires exploiting compiled code, breaching into system services or kernel device drivers.

System breaches can be prevented by keeping your systems up to date with the latest service packs and patches, but it doesn't prevent new holes being found on systems that are deployed by the millions.

Interpreted code


System scripts are a vital part of a server, and can be abused just like web application or compiled code. Unlike compiled code, memory is managed automatically by the interpreter and memory buffer overruns are a less lot likely.

The shellshock bug was recently discovered in the bash shell environment, showing that security holes can reside in a system for years before being uncovered. In fact, it might have been exploited a long time before it went public.

Databases / SQL


Databases are everywhere, they come in different shapes and sizes but they are a vital component of many businesses. They often contain sensitive information such as passwords or other personal records, but securing these assets is often widely overlooked. Databases misconfiguration or weak security access can expose your sensitive data without necessarily being detected.


Contact Us


Tier testing

Table 1: Tier testing
Tier 1 / Web app 2 / Compiled code 3 / Interpreted code 4 / Databases / SQL 5 / Full coverage
Duration - Tier 1 2 business days 3 business days 2 business days 3 business days 2 weeks
Duration - Tier 2 3 business days 5 business days 3 business days 4 business days 3 weeks
Duration - Tier 3 5 business days 5 business days 5 business days 5 business days 4 weeks
Duration - Tier 4 7 business days 8 business days 7 business days 8 business days 6 weeks
Duration - Tier 5 10 business days 10 business days 10 business days 10 business days 8 weeks
Cost Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet

Security packages


Your network evolves, new security flaws are found every day, hackers are getting smarter; protect your business today and tomorrow.
Table 2: Annual protection package
Bronze Silver Gold Platinum Diamond
Duration Quarterly Tier 1 tests Quarterly Tier 2 tests Quarterly Tier 3 tests Quarterly Tier 3 tests
+ bi-annual Tier 4 tests
Quarterly Tier 4 tests
+ bi-annual Tier 5 tests
Average savings 10% 15% 20% 25% 30%
Cost Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet Please request cost sheet


Contact Us