Security risks in your source code
Many security risks in source code are retraceable to the development process of the software. However, many vulnerabilities are only to be found when software is tested on functionalities (penetration testing) or, even worse, when the software has already be taken into use. By analyzing the software in the development stage, certain risks can be solved preventively, making you less vulnerable in the future. A vulnerability analysis scans the blueprint of the code (source code_) automatically to find known vulnerabilities. After the analysis, an expert will prioritize, verify and evaluate the results. Omnext offers both pen testing and code analysis, but is mainly focused on the source code (vulnerability) analysis, as this method is quick, effective and accurate. To reach an accurate insight into the vulnerabilities hidden in the code, the OWASP Top 10 and SANS 25 are used.
OWASP Top 10
The Open Web Appliation Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Most big security companies tribute, and are connected, to OWASP. OWASP defines a set of categroies which contain the most common and destructive vulnerabilities.
The SANS 25 contains the top 25 most dangerous software errors. These are the errors programmers make during the development or maintenance of an application, which eventually lead to potential security vulnerabilities. The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe.
Examples of risks in the source code as also stated in the OWASP Top 10 are:
Injection: the most dangerous category. Injection vulnerabilities enables attackers to ‘inject’ their own data or piece of code into the software product. Making it possible to manipulate the product and achieve full access to the underlying data.
Cross-Site Scripting (XSS): XSS attacks are mostly combined with injection attacks, where the injection isn’t sufficient enough. An XSS attack enables the attacker to run their own piece of code within the software product, by taking advantage of poor data filtration and/or identification. Execution data (code) which is brought in the software product from an external source, should never pass the data filters.
Are you unsure about the security status of your software? Get in touch to find out how we can help you!