Code security audits

User input is often manipulated by the program, so security mechanisms must be applied to prevent an attacker from altering its normal execution. A successful attack can allow the attacker to recover information or gain access to the system.
Among other things, the application must :

• Apply strict rules on the format of expected data, either via DTOs (data transfer objects) or filtering rules.
• Filter user input and escape special characters specific to the language used. In the case of SQL, characters such as * ' " % ; must be eliminated before processing the query.
• Always use prepared queries when creating SQL queries.
• Implement size, type and storage controls on files sent to the server.

A user authenticates himself when he connects to a service. Once authenticated, proof of identity is issued in the form of a session token. This feature is particularly sensitive, as bypassing it can result in the compromise of all system accounts.
Here are the checks carried out to test the robustness of these processes:

• Ensure that the system limits the number of failed login attempts and applies a temporary lockout after several attempts, to protect against brute-force attacks.
• Ensure the application of a complex password policy.
• Implement non-verbose, non-technical error messages on authentication interfaces
• Ensure the randomness of a session token and check that an attacker cannot generate a valid session token for another user.
• Ensure that session tokens can be properly revoked, especially in the event of disconnection.

In an application, it is common to manage several users with different access rights to data and functions. AlgoSecure will ensure that rights are correctly applied by checking the following points:

• Data is properly associated with the users concerned and cannot be accessed by unauthorized users.
• Some functions, such as administration functions, can only be executed by accounts with the appropriate privileges.
• No objects should be directly referenced, so that an attacker cannot easily find them.

With the increasing use of dependencies, libraries and frameworks, careful configuration by developers is necessary to apply hardening rules. Here are a few verified rules:

• Enable access logging and monitoring, especially for sensitive functions.
• Ensure that all third-party components are up to date.
• Disable unnecessary services to limit attack surface.
• Delete or deactivate unnecessary pages, including default library pages.
• Check the configuration of security mechanisms, including the application of a TLS layer and protection against CSRF attacks.
• Ensure that no secrets (such as API keys or passwords) are hard-coded into the code.

Sensitive data (personal data, passwords, payment data, etc.) must be stored in encrypted form. AlgoSecure will verify the use of a strong encryption algorithm for data identified as sensitive. In particular, it will ensure that:

• Data and backups are encrypted
• Standard algorithms and strong keys are used
• That keys and passwords are protected from unauthorized access