10

We have a PHP application that we know has poor coding practices (because the developers did not have a good understanding of PHP / programming fundamentals). This could lead to the scenario where we have severe security flaws in our code even at the "logic level".

How/Where do I locate a consulting team that would do a manual code review to actually understand what WE were trying to do and then see where we went wrong / how the process could be circumvented? We tried a consultant which did what appeared to be just an automated scan of the code, and that added absolutely no value.

This question is based off of Getting a manual security code review done - What to watch out for? - I'm the same person, but I cant access my earlier cookie based session anymore.

Community
  • 1
siliconpi
  • 1,087
  • 1
  • 10
  • 20

3 Answers3

8

Code review can be an expensive use of a consultants time and therefore your budget, to ensure you are getting value for money you could look to do the following;

  1. Triage the code you require to be reviewed. This way you may find that you can focus on code that completes specific roles such as authorisation / session management / specific business logic etc. that you are worried about. If you then have budget left over you can move on to other less critical code areas.

  2. Estimate the time and effort required As a very rough estimate you can use the 1k lines of code = one full day of review (not including reporting). Different languages and code complexity will change this, but it provides a good starting point when looking at budget requirements.

  3. Automation as an aid Automated code scanning has its place, but only adds value if the consultant knows how to configure the tool and use it as an aid in their manual review. Using a blended automated-manual approach can speed the engagement up and lead to a reduced cost. The consultant should be skilled enough in the language being reviewed to understand the security issues and to remove any false-positives as well as insure no false-negatives get through.

  4. Threat Model the application If you can understand the business logic and how attackers can interact with your application to a level that enables you to model potential attack vectors, then this will help define a more specific and focused code review. This level of detail can then be passed on to the consultant to ensure that they are aware of how the application works and this will enable them to provide tailored advice and guidance rather than a generic - here are some risks.

  5. Place the findings in to context of the application At the end of the day you will need to make a call on which issues to fix and in what order of priority. Challenge the consultant to make clear recommendations and to provide evidence to help understand if findings from the code review are actually a threat - i.e. the code found to be vulnerable is at the back-end and their is no route for user interaction then this is a lower risk than if the vulnerable code is in the main authorisation code presented to the end user. This should reduce time internally and therefore become a cost saving that can be offset against the cost of the code review.

David Stubley
  • 2,886
  • 1
  • 17
  • 28
  • +1, good advice here. However, I would make one small change: most of these items should be done by the *consultant*, he's the expert and there's no reason for you to do his work for him. If he just gives you raw findings data without translating them to business risk - he only did half the job, and missed the point of the first half too. If you want, you can break this up into subprojects: e.g. first do threat modeling to get an idea of the scope and where to focus, *then* based on that you can have a minimal, focused, efficient code review. – AviD Dec 05 '10 at 08:36
3

It depends in which country you're located. But there are a few things you should watch out for.

First, clearly define and document what you want to now. Do you want an in-depth security review, do you want an (in-dept?) quality review? Do you want advice/recommendations from the consultant regarding the development process? Do you want advice regarding choosing a development company? Make sure you make ALL you expectation explicit and document them in detail.

Besides, make sure to choose a competent firm. Request for references and spend some time to find a good one. Be prepared to spend some money on it, manual code review is VERY time consuming. Dont go for the very cheap ones, since they cannot provide you a real solution simply because time = money and you need the time to perform an in-depth manual review.

In this case you need a very technical consultancy firm, don't take a management consultancy firm which also provide technical services.

Henri
  • 1,525
  • 10
  • 11
  • Totally agree with Henri on the need to decide what you want from the review, if it is a "Where are my vulnerabilities?" within the code you should engage a technical security consultancy who focus on security / penetration testing and therefore understand the threats. – David Stubley Dec 03 '10 at 08:25
  • Take into account that in most cases, businesses wont have half a clue *what* they want, much less what that means in relations to the other options. Usually, they were just told to "get some security", and unless they either have a security guy on board, or have already gone through this, you would need to really lay out a menu for them, and explain to *them* what they need. But I definitely agree on the technical firm - though you dont want a *purely* technical one that doesnt understand your business. – AviD Dec 05 '10 at 08:40
1

You need to consider both the breadth and depth of the review. By breadth, I mean what range of risks/attacks/threats will be covered in the review. You should start with the OWASP Application Security Verification Standard to get an idea of what ought to be covered here. By depth, I mean how well will the consultant verify that each area has been adequately defended. At the low end, an automated tool scan provides little assurance. At the high end, a manual inspection or actual test case should essentially prove that the correct defenses are in place, have been designed correctly, and are used everywhere that they need to be.

Don't fall for the argument that code review is necessarily more time consuming than other approaches. In many cases it is hands-down the most efficient way to verify security quickly, accurately, and with the best coverage possible.

Check with some of the companies involved with OWASP. They've got extensive experience verifying the security of web applications cost-effectively.

planetlevel
  • 335
  • 1
  • 7
  • 1
    Effectively - yes, efficiently - not so much. Code review **is** more time consuming, but thats not to say its not worth it. Dont go in expecting this to take as long as a simple, surface-deep penetration test - it will take more resources, more time, and expect to pay more per hour for the higher expertise. – AviD Dec 05 '10 at 08:42
  • In my experience in development (not focusing on security issues), code review is hands-down more efficient than testing. It *seems* longer, but when you find a a bug in a code review, it's generally a straight line to a fix versus debugging to find the problem based on a test failure. Review also tends to be more complete than testing, and finding+fixing bugs before the product leaves the building is literally 100x cheaper than after they've been found by a customer. Security bugs probably have an even bigger multiplier. – bstpierre Dec 21 '11 at 00:59