Overview
Foundstone’s capability in source code security assessments extends from our Software and Application Security Service (SASS) consultants, who have performed source code audits on numerous client applications, as well as their own software. Our SASS consultants worked as development practitioners on commercial enterprise software systems and understand the software development process, as well as why and how security bugs are introduced. Our experience, combined with advanced automated tools using contextual analysis, enables us to look at a greater amount of code faster, more accurately, and more effectively than other security consulting services.
With a JumpStart Code Review, Foundstone performs a targeted assessment that augments automated code analysis with manual review. Automated tools alone are not effective at finding architectural flaws, and they also return large numbers of false positives. Foundstone’s experienced SASS consultants combat these shortcomings, providing your team with accurate and insightful results you can use to immediately improve the security of your application.
Key Benefits
Foundstone’s Software & Application Security Services team provides software security expertise that stems from their backgrounds in enterprise software development organizations. They have performed source code audits on numerous client applications as well as their own software. Having worked as development practitioners on commercial enterprise software systems, they understand the software development process as well as why and how security bugs are introduced. The recommendations they provide offer solutions that fit both the specific section of code where the issue was identified and the larger code base that must interact with the code section.
Perhaps most importantly, having faced some of the same pressures of commercial software development that your team may deal with, our consultants are well equipped to make recommendations that are practical to implement and are not just theoretical in nature. Our experts, using manual code review techniques and contextual analysis in combination with advanced automated tools, are able to look at more code, more accurately, more efficiently, and more effectively than others.
Additionally, Foundstone’s code review will help you meet the PCI DSS requirement 6.6. Foundstone’s experienced software security consultants will provide your team with accurate and insightful results you can use to immediately improve the security of your application and meet PCI requirements.
Methodology
Foundstone will perform this assessment using our tried and tested methodology:
- Basic architectural analysis and code walk-through. Performed onsite with key stakeholders from the development team, Foundstone uses this session to identify architectural flaws as well as obtain access to and walk through the source code, gaining familiarity for the next phases.
- Based on the size and complexity of the code base, Foundstone then performs targeted and time boxed code reviews. Static analysis will be performed using both commercial, open source, and Foundstone’s own internally developed code scanners. Results from these will be audited to eliminate false positives. Finally, an analysis will be performed to identify key risk areas to the application.
- Foundstone presents the report from the automated tools as well as an executive summary that allows the customer to obtain the information they need to make risk decisions with regards to the application being tested.
Our JumpStart Security Code Review includes:
- A technical report based on results from the automated scans using the tools described above.
- An executive summary, which describes the results from the report, as well as architectural flaws, systemic issues, and major sources of application risk identified by Foundstone consultants. Sources of risk can include people, process, and technology issues.
- An executive presentation that contains recommendations for mitigating risks and the proposed next steps. Foundstone can work with the customer to ensure this presentation is created at the right level for the proposed audience.