Application Source Code Scanning

Virtual CISO Services ISO 27001

Application Security Code Review Information

An Application Security Code Review is the manual review of source code with the developers to identify source code-level issues that may enable an attacker to compromise an application, system, or business functionality. A Security Code Review (also known as a secure code review, application code review or application security review) is always focused on particularly high-risk areas of the code as they are manually intensive and expensive.

Key activities include:

  • Automated scanning of key source code leveraging a commercial or open source scanner designed for the particular language being used; and
  • Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.

The predominant benefits realized by a Security Code Review are:

  • It can be an effective method to identify functionality and syntax errors;
  • Can be used to focus manual code review on problematic sections of code;
  • Can be used post Vulnerability Assessment to more quickly identify the coding flaw responsible for a particular vulnerability; and
  • Can be used to enforce compliance with relevant coding standards in the Security Development Life Cycle.

Application Security Code Review: Best Used

  • For larger applications where manual code reviews are not practical; and
  • As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical applications.

Application Security Downloadable Resources