In addition to examining how the program works, it is possible to examine its code also. Examining the source code can focus on analyzing the maturity of the code, detecting possible operational errors, and exploring vulnerabilities. Performing these analyzes together with the modifying the relevant codes can significantly increases the reliability of the program.
The source code analysis is done by using automated tools and manual methods. The results of the automated detection are manually checked and compared to the results of the code audit.
Checks during code audit:
- Verification of the correctness of the code (Based on security considerations only, in compliance with business logic is not covered by the audit.)
- Penetration testing (vulnerability examination) (Finding security errors specific to a programming language)
- Uncovering non-compliance with a common practice (a variety of implementation programs can be created for a given task, some of which are the best for the practices that are recommended.)
- Detecting the use of outdated / unsupported / not recommended tools and methods
During the audit, the source code is examined by a variety of tools and methods in order to detect as many errors / deficiencies as possible. The CWE vulnerability database is a common point in security analysis, with the vulnerability of Sans Top 25 and OWASP Top 10 as a priority. These lists contain the most critical errors based on the level of attack data and security.
As for the result of the investigation or investigations, a detailed audit report will be created that will include the identified errors / weaknesses, their severity classification, including the critical elements, and the most vulnerable source code sections, with relevant CWE vulnerability references or possible repair recommendations.