Source Code Auditing

Source code auditing is a comprehensive analysis of source code to discover potential

security weaknesses, bugs and violations of programming conventions. The main
focus of a source code auditor is to look for any security weaknesses that may exist in
a source code or any bugs. Source code review is the process where organization go
through identification and fix potentially risky security vulnerabilities in the late
stages of the development process. Security code reviews focus on finding flaws in
each of the following areas: Authentication, authorization, security configuration,
session management, logging, data validation, error handling, and encryption. Code
reviewers should be well-versed in the language of the application they’re testing, as
well as knowledgeable. It goes without saying that you should have an in-depth
understanding of programming languages. These can include C/C++, C#,
Java/JSP, .NET, Perl, PHP, Ruby, Python, etc.r

Source code Analysis can be done in 2 ways:

● Manually.
Manual secure code review is the process of reading source code line-by-line to
identify potential vulnerabilities. It is a tedious process. It requires skill,
experience, persistence, and patience.

Manual code analysis follows following steps:

⮚ Gaining basic information about the business logic.
⮚ Source Code Review.
⮚ Drafting a Report.

● Using Automated tools.

There are various tools available on the internet for reviewing and finding out
bugs and vulnerabilities by analysing the source code. Using automated tools is
preferred over manual code analysis.
Lets checkout some Automated tools for source code analysis:
VisualCodeGrepper
It is an automated code security review tool for C++, C#, VB, PHP, Java, PL/SQL and
COBOL, which is intended to speed up the code review process by identifying
bad/insecure code.
It can be downloaded from the below website
https://sourceforge.net/projects/visualcodegrepp/
YASCA:
JSHint:
JSHint is a tool that helps to detect errors and potential problems in your JavaScript
code

Responsibilities while undertaking a source code analysis:

● Assist development teams in preparing code for auditing

● Analyse source code on a line-by-line basis
● Review authentication, authorization, session and communication mechanisms
● Identify issues that could result in unauthorized access or leaking of sensitive
information
● Understand the subtleties of commercial and open source licensing (i.e.
intellectual property law)
● Review third party commercial and/or open source libraries
● Deliver audit results to development and legal teams
● Educate development teams on best practices for code creation

Following are some tools recommended on OWASP website:

Bandit - bandit is a comprehensive source vulnerability scanner for Python

Flawfinder Flawfinder - Scans C and C++

.NET Security Guard - Roslyn analyzers that aim to help security audits on .NET
applications. It will find SQL injections, LDAP injections, XXE, cryptography
weakness, XSS and more.

RIPS - RIPS Open Source is a static source code analyzer for vulnerabilities in PHP
web applications.

VisualCodeGrepper (VCG) - Scans C/C++, C#, VB, PHP, Java, and PL/SQL for
security issues and for comments which may indicate defective code.
YASKA - YASCA (Yet Another Source Code Analyzer) analyzes Java, and C/C++
primarily, with other languages and JavaScript for security flaws and other bugs. 

CHECKMARKS TOOL

SONAR CUBE