1

Recently I came across to a situation where an institution has hired a third party vendor to develop its business applications. I came up with the following questions related to penetration testing and independent third party secure source code review:

  • How exercise of independent third party secure source code review is different from penetration testing?

  • What are limitations of independent third party secure source code
    review and penetration testing and do they cover each other where
    they are limited?

  • What areas independent third party secure source code review covers
    which penetration testing doesn't and vice versa?

Khopcha
  • 465
  • 5
  • 11
  • 4
    It isn't clear what your question is asking. Do you want us to answer these questions? Are you looking for feedback on whether or not these are "good" questions? (in which case you are going to have to explain what you are trying to do). – Conor Mancone Mar 30 '18 at 18:13
  • 1
    I don't know, I think it's pretty clear what he is asking and perfectly relevant for this forum. However, he may have edited it since your comment. – Henry F Mar 31 '18 at 08:15
  • Yes Conor, I intend to have answer of the questions. – Khopcha Mar 31 '18 at 12:37

1 Answers1

5

How exercise of independent third party secure source code review is different from penetration testing?

The secure code review is a white-box methodology where the code reviewer will be using automated tools and/or manual approach to identify security issues in the the given source code whereas, penetration testing is mostly a black-box methodology where the organisation will only provide only the IP address or name/URL of the application under test. In the penetration test the security analyst usually starts with information gathering and will then identify the vulnerabilities in the system. Later, the analyst will attack the system under test and will try to penetrate deeper and deeper so as to identify more security issues and to evaluate the impact of the identified vulnerabilities.

What are limitations of independent third party secure source code review and penetration testing and do they cover each other where they are limited?

It purely depends on the type of engagement with your vendor. Mostly, they don't cover each other. I personally recommend both penetration test and secure code review on the application. Secure code review is more of a static approach. Although, modern secure code review tools offers dynamic capabilities such as taint analysis where the data in motion is also analysed but again my personal experience says that secure code review can never accomplish the results of penetration test and vice versa.

What areas independent third party secure source code review covers which penetration testing doesn't and vice versa?

As already stated, both of the approach can be used to achieve better results. I hope I can explain it better using an example. For an instance, server-side secure code review will include the password management checks. In the scenario where a weak hashing algorithm such as MD5 is used to hash the user's password. This security issue will be identified in secure code review where the issue may not be identified in a penetration test if the server/code access is not attained.

Shiv Sahni
  • 921
  • 8
  • 16
  • I seriously can't believe the question is called off by saying that its a duplicate question :D But thanks Shiv! – Khopcha Apr 03 '18 at 16:05
  • Pleasure @Khopcha! I hope I was able to answer your questions. :) – Shiv Sahni Apr 03 '18 at 16:20
  • I would like to add that the specifically secure source code review helps you to identify what vulnerabilities are there in code. Best example is libraries which are used. There could be a depreciated library which can only be identified when you have a secure source code review. – Khopcha Apr 07 '18 at 14:10