Your code is only as strong as your weakest link.
Manual Code Review
Many vulnerabilities cannot be discovered without looking at the code, and for many other vulnerabilities, a manual code review is simply more efficient than scanning or testing. Manual code review is the only way that several key security controls can be verified including access control, encryption, data protection, logging, and back-end system communications and usage.
Manual code review is also very useful in identifying the attack surface of an application and tracing how data flows through an application from its sources to its sinks. Manual code review helps Aspect understand the actual security architecture as implemented, so that we can isolate architectural vulnerabilities.
Aspect advocates the use of code review as a part of our application assessment approach. Our use of code review makes our assessments more comprehensive and more accurate than any other approach. The use of code review also makes reviews more cost-effective.
Aspect uses vulnerability scanning tools, both commercial and proprietary, as a part of our application assessment process. Vulnerability scanning is one part of our hybrid approach to application assessment. Combined with code review and security testing, our approach is more cost-effective and accurate than any other approach. We tailor scanning tools in order to get a high-quality scan, and then carefully diagnose, consolidate, and verify all of the automatically generated data.
Vulnerability scanning tools explore applications and use databases of signatures to attempt to identify weaknesses. These tools can be leveraged to find instances of XSS, CSRF, SQL Injection, unprotected directories, open ports, etc. Once the tools have been trained to understand the security controls in an application, they can be used to verify many more advanced security areas as well.
The Aspect Security Edge
We verify millions of lines of code every month across a wide range of platforms and frameworks, and have fine-tuned our process to be efficient and effective. We've had experience verifying the security of the code for complex enterprise applications in industries from high finance, banking, and insurance to retail, defense, and aerospace. We have deep experience with virtually all modern software environments and frameworks, including Java, .NET, C/C++, ASP, ColdFusion, Oracle, Struts, Spring, Ajax, RIA, and many more. Even if you didn’t develop the code yourself, we are happy to work with your software provider.