SlideShare a Scribd company logo
SOURCECODE
REVIEWSERVICES
www.vsec.com.vn
WHY DOES CODE HAVE
VULNERABILITIES?
Almost 700 different kinds of software weaknesses have
been catalogued by MITRE in their CWE project. These are
all different ways of mistakes that software developers can
make and that lead to insecurity. Each of these
weaknesses is hard to recognize and many are very tricky.
Software developers lack training about these weaknesses
and problems, both at school and at work.
These problems have become so important in
recent years because connectivity has been
increased and technologies and protocols
continuously added at a shocking rate. Man’s
ability to invent technology has seriously
outpaced their security capability. Security
issues have not been considered carefully for
many of the technologies in use today.
Vietnam Security Network JSC – Application Security Assessment Services
There are many reasons why businesses are not
spending enough time on security.
This results from the nature of the software market.
As software is like a black box, it is extremely
difficult to explain to the client about the different
between good code and insecure code.
However, there are many people ignoring security code review. They
said, “We never get hacked (that I know of), we don’t need security”,
“We have a firewall that protects our applications”, "We trust our
employees not to attack our applications".
For these people, if they do not even know what risks they are taking,
they are being irresponsible both to their shareholders and their
customers.
This lack of
visibility
would not
motivate
buyers to
pay more for
secure code,
and vendors
to spend
more
resources on
producing
secure code.
Vietnam Security Network JSC – Application Security Assessment Services
WHAT IS SOURCE CODE
REVIEW ?
Source code review is the process
of auditing the source code for an
application to check if proper
security controls are in place, if
they work as intended, and if they
have been invoked in all the right
places. The aim of source code
review is to ensure “self-defense”
of the application in its given
environment.
2
Source code review helps assure secure application developers are
following secure development techniques. Normally, any additional
application vulnerabilities related to the developed code should not be
discovered in a penetration test after the application has undergone a
proper source code review.
In a source code review, human effort and technology support should be
used in combination. Expertise is required to use the current application
security tools effectively. Tools can be used to review source code, but
they always need verification by people. People understand context, while
tools do not. Large amounts of code can be scanned automatically by
tools and possible issues discovered, but a person is needed to verify
every single result to determine if it is a real issue, if it is actually
exploitable, and calculate the risk to the company.
There are also significant blind spots where automated tools simply
cannot check and human reviewers are also necessary.
Vietnam Security Network JSC – Application Security Assessment Services
VSEC SOURCE CODE REVIEW
SERVICES3
VSEC’s source code review services help uncover
unexpected and hidden vulnerabilities and design
flaws in source codes. We use a mix of scanning tools
and manual review to detect insecure coding
practices, injection flaws, cross site scripting flaws,
backdoors, weak cryptography, insecure handling of
external resources, etc.
VSEC understands how to exploit vulnerable
applications, since we are penetration testers.
From this unique position, we offer Source
Code Review services from the perspective of
how an attacker can take advantage of poorly
written code.
We check at least the security of the source
code in the following areas:
Vietnam Security Network JSC – Application Security Assessment Services
We also analyze source code for
vulnerabilities under the OWASP Top 10
Vietnam Security Network JSC – Application Security Assessment Services
SOURCE CODE REVIEW
PROCESS4
Preparation
Analysis
Solutions
In preparation for a
source code review,
it is necessary to
conduct a thorough
study of the
application, and then
create a
comprehensive
threat profile.
VSEC’s engineers
study the code
layout to develop a
specific code
review plan, and
use a hybrid
approach
combining
automated scans
and custom
manual review.
After analysis, the
next step in the
source code review
process is to verify
existing flaws and
generate reports
with
recommended
solutions.
Vietnam Security Network JSC – Application Security Assessment Services
ADVANTAGES
5
Fast Delivery
Through code analysis, we easily detect flaws and avoid the
need to send test data to the application or software since
access to the entire code base of the application is available.
Thorough Analysis
We evaluate the entire code layout of the application
including areas that would not be analyzed in an application
security test such as entry points for different inputs,
internal interfaces and integrations, data handling and
validation logic, and the use of external API’s and
frameworks.
Going Beyond Testing Limitations
VSEC uncovers vulnerabilities and detects attack surfaces
missed out by automated code scans, using source code
reviews. Through this process, we identify design flaws,
detect weak algorithms, insecure configurations and
insecure coding practices.
Vietnam Security Network JSC – Application Security Assessment Services
Reporting
We produce source code review reports with an executive
summary on strengths and weaknesses and detailed findings
that include precise code based solutions and fixes.
We Provide Solutions
VSEC secures sensitive data storage and suggests precise
solutions customized for your developers with code level
suggestions with more exhaustive checks to find all instances
of common vulnerabilities.
Compliance
We help satisfy industry regulations and compliance
standards, such as PCI DSS standards, etc.
Vietnam Security Network JSC – Application Security Assessment Services
Vietnam Security Network Joint Stock Company
Address: Floor M, Block A, 275 Nguyen Trai Street, Thanh Xuan Dist., Hanoi, Vietnam
Phone: (+844) 666 406 99 – Hotline: (+849) 04 861 337
Email: contact@vsec.com.vn

More Related Content

What's hot (20)

PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
PPTX
Droidcon mobile security
Judy Ngure
 
PPTX
Security Testing
BOSS Webtech
 
PDF
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
PDF
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
PDF
Infragard 2004 - Web Attacks and Defenses
Tyler Shields
 
PPT
Mobile application security Guidelines
Entersoft Security
 
DOCX
Mitigating Privilege-Escalation Attacks on Android Report
Vinoth Kanna
 
PDF
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
PPTX
Secure Android Apps- nVisium Security
Jack Mannino
 
PPTX
Secure Coding 2013
The eCore Group
 
PDF
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
PPT
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
PDF
The Complete Web Application Security Testing Checklist
Cigital
 
PDF
The International Journal of Engineering and Science (The IJES)
theijes
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPTX
Security testing
Rihab Chebbah
 
PDF
C01461422
IOSR Journals
 
PDF
Gloriolesoft Consulting Security and Privacy Offering
Debasis Chakraborty
 
DOC
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Droidcon mobile security
Judy Ngure
 
Security Testing
BOSS Webtech
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Idexcel Technologies
 
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Infragard 2004 - Web Attacks and Defenses
Tyler Shields
 
Mobile application security Guidelines
Entersoft Security
 
Mitigating Privilege-Escalation Attacks on Android Report
Vinoth Kanna
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
TekRevol LLC
 
Secure Android Apps- nVisium Security
Jack Mannino
 
Secure Coding 2013
The eCore Group
 
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
The Complete Web Application Security Testing Checklist
Cigital
 
The International Journal of Engineering and Science (The IJES)
theijes
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Security testing
Rihab Chebbah
 
C01461422
IOSR Journals
 
Gloriolesoft Consulting Security and Privacy Offering
Debasis Chakraborty
 
Analysis of field data on web security vulnerabilities
Papitha Velumani
 

Similar to VSEC Sourcecode Review Service Profile (20)

PDF
VSEC Company Profile
Vietnamese Network Security J.S.C
 
PDF
Standardizing Source Code Security Audits
ijseajournal
 
PDF
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 
PDF
CODE INSPECTION VIMRO 2015 MHF
FitCEO, Inc. (FCI)
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
PDF
[EMC] Source Code Protection
Perforce
 
PDF
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
PDF
State of Software Security - Enterprise Testing of Software Supply Chain
stemkat
 
PDF
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
PPTX
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
DOCX
The goal of a Code Review Security Aardwolf Security.docx
Aardwolf Security
 
PPT
4.Security Assessment And Testing
phanleson
 
PPTX
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Jamie Coleman
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PDF
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
PDF
Secure Code Reviews
Marco Morana
 
PPTX
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
PDF
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
PPTX
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
VSEC Company Profile
Vietnamese Network Security J.S.C
 
Standardizing Source Code Security Audits
ijseajournal
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 
CODE INSPECTION VIMRO 2015 MHF
FitCEO, Inc. (FCI)
 
Software Security in the Real World
Mark Curphey
 
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
[EMC] Source Code Protection
Perforce
 
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
State of Software Security - Enterprise Testing of Software Supply Chain
stemkat
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
The goal of a Code Review Security Aardwolf Security.docx
Aardwolf Security
 
4.Security Assessment And Testing
phanleson
 
Using Static Analysis Tools to Become a Superhero Programmer.pptx
Jamie Coleman
 
ProdSec: A Technical Approach
Jeremy Brown
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Secure Code Reviews
Marco Morana
 
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Ad

Recently uploaded (20)

PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Ad

VSEC Sourcecode Review Service Profile

  • 2. WHY DOES CODE HAVE VULNERABILITIES? Almost 700 different kinds of software weaknesses have been catalogued by MITRE in their CWE project. These are all different ways of mistakes that software developers can make and that lead to insecurity. Each of these weaknesses is hard to recognize and many are very tricky. Software developers lack training about these weaknesses and problems, both at school and at work. These problems have become so important in recent years because connectivity has been increased and technologies and protocols continuously added at a shocking rate. Man’s ability to invent technology has seriously outpaced their security capability. Security issues have not been considered carefully for many of the technologies in use today. Vietnam Security Network JSC – Application Security Assessment Services
  • 3. There are many reasons why businesses are not spending enough time on security. This results from the nature of the software market. As software is like a black box, it is extremely difficult to explain to the client about the different between good code and insecure code. However, there are many people ignoring security code review. They said, “We never get hacked (that I know of), we don’t need security”, “We have a firewall that protects our applications”, "We trust our employees not to attack our applications". For these people, if they do not even know what risks they are taking, they are being irresponsible both to their shareholders and their customers. This lack of visibility would not motivate buyers to pay more for secure code, and vendors to spend more resources on producing secure code. Vietnam Security Network JSC – Application Security Assessment Services
  • 4. WHAT IS SOURCE CODE REVIEW ? Source code review is the process of auditing the source code for an application to check if proper security controls are in place, if they work as intended, and if they have been invoked in all the right places. The aim of source code review is to ensure “self-defense” of the application in its given environment. 2 Source code review helps assure secure application developers are following secure development techniques. Normally, any additional application vulnerabilities related to the developed code should not be discovered in a penetration test after the application has undergone a proper source code review. In a source code review, human effort and technology support should be used in combination. Expertise is required to use the current application security tools effectively. Tools can be used to review source code, but they always need verification by people. People understand context, while tools do not. Large amounts of code can be scanned automatically by tools and possible issues discovered, but a person is needed to verify every single result to determine if it is a real issue, if it is actually exploitable, and calculate the risk to the company. There are also significant blind spots where automated tools simply cannot check and human reviewers are also necessary. Vietnam Security Network JSC – Application Security Assessment Services
  • 5. VSEC SOURCE CODE REVIEW SERVICES3 VSEC’s source code review services help uncover unexpected and hidden vulnerabilities and design flaws in source codes. We use a mix of scanning tools and manual review to detect insecure coding practices, injection flaws, cross site scripting flaws, backdoors, weak cryptography, insecure handling of external resources, etc. VSEC understands how to exploit vulnerable applications, since we are penetration testers. From this unique position, we offer Source Code Review services from the perspective of how an attacker can take advantage of poorly written code. We check at least the security of the source code in the following areas: Vietnam Security Network JSC – Application Security Assessment Services
  • 6. We also analyze source code for vulnerabilities under the OWASP Top 10 Vietnam Security Network JSC – Application Security Assessment Services
  • 7. SOURCE CODE REVIEW PROCESS4 Preparation Analysis Solutions In preparation for a source code review, it is necessary to conduct a thorough study of the application, and then create a comprehensive threat profile. VSEC’s engineers study the code layout to develop a specific code review plan, and use a hybrid approach combining automated scans and custom manual review. After analysis, the next step in the source code review process is to verify existing flaws and generate reports with recommended solutions. Vietnam Security Network JSC – Application Security Assessment Services
  • 8. ADVANTAGES 5 Fast Delivery Through code analysis, we easily detect flaws and avoid the need to send test data to the application or software since access to the entire code base of the application is available. Thorough Analysis We evaluate the entire code layout of the application including areas that would not be analyzed in an application security test such as entry points for different inputs, internal interfaces and integrations, data handling and validation logic, and the use of external API’s and frameworks. Going Beyond Testing Limitations VSEC uncovers vulnerabilities and detects attack surfaces missed out by automated code scans, using source code reviews. Through this process, we identify design flaws, detect weak algorithms, insecure configurations and insecure coding practices. Vietnam Security Network JSC – Application Security Assessment Services
  • 9. Reporting We produce source code review reports with an executive summary on strengths and weaknesses and detailed findings that include precise code based solutions and fixes. We Provide Solutions VSEC secures sensitive data storage and suggests precise solutions customized for your developers with code level suggestions with more exhaustive checks to find all instances of common vulnerabilities. Compliance We help satisfy industry regulations and compliance standards, such as PCI DSS standards, etc. Vietnam Security Network JSC – Application Security Assessment Services Vietnam Security Network Joint Stock Company Address: Floor M, Block A, 275 Nguyen Trai Street, Thanh Xuan Dist., Hanoi, Vietnam Phone: (+844) 666 406 99 – Hotline: (+849) 04 861 337 Email: [email protected]