Code security audits

A code audit assesses the security level of an information system component. This type of audit is applicable to all components, such as web applications, APIs or fat clients. It can be used to uncover vulnerabilities that would be difficult to detect or exploit in a penetration test.

Why and when should you carry out a code audit?

Code auditing can be carried out throughout an application's lifecycle, as it provides a comprehensive overview of a component's security.

Code auditing is more exhaustive than pentesting, and ensures good secure development practices.

It is particularly relevant in the following cases:

  • Before importing third-party code, such as dependencies or complete solutions: it's pertinent to carry out a code audit to assess the application's security maturity.
  • For an application with limited security maturity: a code audit can effectively identify vulnerabilities across the entire perimeter.
  • For optimum robustness: code auditing can be integrated into the software development life cycle (SDLC), before each major production release, as part of a DevSecOps approach. In this way, vulnerabilities are addressed before they are put into production.

audit-securite-code

Focus on DevSecOps

According to ANSSI, this approach drastically reduces the cost of correcting late-breaking vulnerabilities, and speeds up time-to-production. Companies that adopt DevSecOps benefit from better risk anticipation, automated testing and increased resilience to cyberattacks. But to exploit this potential to the full, we need to rely on structuring principles (e.g. Shift Left, Security Champion, Evil user story).

Code audit methodology

At AlgoSecure, we base our methodology on the code review guide from OWASP as well as on that of ANSSI. A first pass is performed on all the code using automated analysis tools to identify trivial vulnerabilities. Then, critical functionalities, defined with the customer or selected by the auditors, are analyzed manually.

The following checks are commonly performed on all applications:

audit-securite-code

User input is often manipulated by the program, so security mechanisms must be applied to prevent an attacker from altering its normal execution. A successful attack can allow the attacker to recover information or gain access to the system.
Among other things, the application must :

  • Apply strict rules on the format of expected data, either via DTOs (data transfer objects) or filtering rules.
  • Filter user input and escape special characters specific to the language used. In the case of SQL, characters such as * ' " % ; must be eliminated before processing the query.
  • Always use prepared queries when creating SQL queries.
  • Implement size, type and storage controls on files sent to the server.

A user authenticates himself when he connects to a service. Once authenticated, proof of identity is issued in the form of a session token. This feature is particularly sensitive, as bypassing it can result in the compromise of all system accounts.
Here are the checks carried out to test the robustness of these processes:

  • Ensure that the system limits the number of failed login attempts and applies a temporary lockout after several attempts, to protect against brute-force attacks.
  • Ensure the application of a complex password policy.
  • Implement non-verbose, non-technical error messages on authentication interfaces
  • Ensure the randomness of a session token and check that an attacker cannot generate a valid session token for another user.
  • Ensure that session tokens can be properly revoked, especially in the event of disconnection.

In an application, it is common to manage several users with different access rights to data and functions. AlgoSecure will ensure that rights are correctly applied by checking the following points:

  • Data is properly associated with the users concerned and cannot be accessed by unauthorized users.
  • Some functions, such as administration functions, can only be executed by accounts with the appropriate privileges.
  • No objects should be directly referenced, so that an attacker cannot easily find them.

With the increasing use of dependencies, libraries and frameworks, careful configuration by developers is necessary to apply hardening rules. Here are a few verified rules:

  • Enable access logging and monitoring, especially for sensitive functions.
  • Ensure that all third-party components are up to date.
  • Disable unnecessary services to limit attack surface.
  • Delete or deactivate unnecessary pages, including default library pages.
  • Check the configuration of security mechanisms, including the application of a TLS layer and protection against CSRF attacks.
  • Ensure that no secrets (such as API keys or passwords) are hard-coded into the code.

Sensitive data (personal data, passwords, payment data, etc.) must be stored in encrypted form. AlgoSecure will verify the use of a strong encryption algorithm for data identified as sensitive. In particular, it will ensure that:

  • Data and backups are encrypted
  • Standard algorithms and strong keys are used
  • That keys and passwords are protected from unauthorized access

The list is not exhaustive, as the checks carried out are adapted to each situation. They vary according to the technology used, such as buffer overflow detection in low-level languages, but also according to the functionality of the application.

Following this audit, a report is sent out, explaining all the vulnerabilities discovered and, above all, proposing corrections adapted to your context.

Algosecure benefits

At AlgoSecure, our PASSI (Prestataires d'Audit de la Sécurité des Systèmes d'Information) qualification on the Code Audit scope testifies to our expertise and our commitment to delivering high-quality code audits. We help our customers not only to identify and correct weaknesses in their code, but also to implement robust secure development practices.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.