Skip to main content

Astyran Pte Ltd

Pragmatic Application Security

Home  Training  Pentest  Code Review  Contact Us  Jobs  Site Map   
 
Secure Code and Secure Design Review 
Overview

For your most critical applications a pentest or vulnerability assessment might not be enough to provide reasonable assurance that your application is secure. A deeper assessment might be driven by compliancy demands from the Payment Card Industry (PCI) standard or the Internet Banking and Technology Risk Management guidelines (IB&TRM) of the Monetary Authority of Singapore. 

Our Secure Code Review service looks at your application and reports on vulnerabilities or security issues found. Our manual approach detects:

 
Risk Based Methodology Based on Business Relevance

An exhaustive code review is seldom feasible or cost-effective in a commercial environment. Astyran has a unique business driven approach to limit the number of lines under review to what is relevant and needed.
 
Starting from your compliancy and security objectives we take an in-depth look at how your application is used (or will be used) by your teams and how the application fits in its environment. This enables us to limit the manual review to modules that are security relevant which is in our experience only 10 to 20 percent of the code base.
 
This methodology also enables us to have a very good idea on how an external or internal attacker or malicious developer might try to perform or hide unauthorised actions and helps us searching for malicious code as required by certain standards. Our experienced consultants will assess how the application could be broken and search for traces of this in the code, just as a viruskiller would act.
 
Standards Compliant

Our pragmatic methodology and experienced consultants will detect incompliances or issues in the application as required by international standards or guidelines such as: 

 

 
Frequently Asked Questions

What is your pricing model?

All assessments are fixed price. You know upfront what it will cost you. An important factor in the pricing is the location of the review: at our premises or yours. Note that follow-up reviews are always much cheaper than the initial review, since our consultants will already be familiar with your application.

At which stage in the System Development Lifecycle (SDLC) should a secure code review be performed?

We recommend starting as soon as possible with internal peer reviews. These reviews should focus on compliancy with developer standards (we can write them for you if needed). Our code review should be done at the start of User Acceptance Tests (UAT) and must be repeated when changes to the code are made.

How do you protect our intellectual property (IP)?

An application might have taken many years in development. Source code is an important asset for a company and must protected. This is typically taken care of in the contract. Many of our clients want a review at their premises, in a controlled environment and on their workstations.

We must however warn that it is always safer to assume that an attacker already has your source code. Security by obscurity has never worked in the past.

How do you protect our confidentiality?

Security measures regarding communication, reporting, and data security will be discussed at the kick-off of a project. Typically encryption will be used for all communication. Data gathered during an assessment is not unnecessarily kept and will be destroyed one month after the acceptance of the final report.

 
 

Pragmatic Application Security