Source Code Security Audit

The use of the source code security audit helps identify security vulnerabilities in the design, development and implementation of an application's source code early enough in the application lifecycle that it will result in protection from vulnerabilities. EqualPartners is a trusted partner in the process of applying security metrics to predeployment applications.

The EqualPartners Source Code Security Audit addresses the following technology challenges:

  • Minimize amount of security vulnerabilities in developed or integrated software solutions;
  • Protect Intellectual Property (IP) contained within developed software solutions;
  • Minimize STRIDE threats.

Our Clients are usually seeking for the service under the following circumstances:

  • Software solution already exists (released or about to be released);
  • A security issue was discovered and/or exposed to the public;
  • Lack of internal expertise and/or resources to perform source code security audit;
  • Compliance requirement of external audit.

Typically, the following additional work may be resulted from the service:

  • Software Security Training;
  • Ongoing Security Advisory Consulting for Development teams;
  • Implementation of fixes for identified security issues.

EqualPartners provides complete source code security audit services, allowing clients to evaluate their existing level of application security and help define strategy to mitigate identified risks. This includes the following steps:

  • Security risk assessment and analysis;
  • Manual and automated source code review;
  • Identified risks mitigation strategy definition;
  • Implementation advisory for development teams.

Other Aspects of the Source Code Audit

A Security risk assessment and analysis step is performed to identify risks affecting the system, to understand the attack surface, types of technologies used, external dependencies and other factors important for risk analysis and subsequent steps. As part of this step, threat modeling is used to identify what parts of the software require the most attention from a security point of view and is used to structure the source code review process. This is proven to be an efficient technique, especially for large systems consisting of hundreds of thousands lines of code or more.

During the manual and automated source code review step, an application is validated against most common threats and attack types, including various injection types, buffer overflows, undocumented public interfaces and others. All identified issues are classified in accordance with established rankings and then prioritized.

During identified risks mitigation strategy definition step, the security advisors at EqualPartners  define the best way to mitigate the most important issues. In many cases, the capability to change the architecture of the system is limited and may be very expensive. Mitigation strategy in that case includes alternatives, which are easier to implement and deploy.

EqualPartners provides an implementation advisory for development teams, in order to ensure proper implementation of the suggested risk mitigation strategy. A security advisor is assigned and made available to the client’s development team. The advisor’s role is to ensure that each software engineer involved in the resolution of identified security issues gets the full required knowledge and advice to implement corrections. Implementation is then reviewed for final validation.

An alternative to the advisory step for the client’s development teams explained above, EqualPartners may implement the strategy in lieu of the client through our specialized Technology Delivery Services if the client is not willing to use its internal resources or existing development vendor to do this.

To inquire about adding our specialized security services to your IT project team, contact us as soon as possible.