A software source code audit is a comprehensive deep analysis of source code in a programming project and is an important part of security. It is done with the intent of finding bugs, security breaches, violations of programming conventions and anything else to reduce errors prior to software being released. It may also be done post release prior to releasing future versions of software.
By being proactive in looking for security holes cuts down many risks and saves billions-trillions in support, software and data theft, damages to a company, injury, and more.
What to look for and perform when auditing software source code
- Security testing, checks for anything and everything that enables an attacker to gain access to and control application files or database
- Examine each component for errors. When auditing software source code, each component should be examined separately, and then together with the entire project
- Buffer overflow checking, checks for code that causes memory errors
- Search for high risk vulnerabilities and work down toward lower risk vulnerabilities
- Penetration testing attacks program with as many known techniques as possible to take down application
- SQL injection vulnerability checks, checks for anything that can dump database contents to the attacker
- File inclusion vulnerability checks, checks for anything that can output contents of a file, execute code on a client side or server, denial of service, or data theft or manipulation
- Check for any libraries that may be linked to malicious code, checks for external code that can modify application structure
- Client side code vulnerability checks, checks for malicious code that affects the client and not the server
- Username vulnerability checks, checks for common usernames that can login to an application
- Check for any other insufficient security validation such as access to files that are not intended to be accessible
Software source code audits are done specific to programming languages. There are many automated tools that can help with the process and are constantly updated, but should not be relied upon completely for an in depth audit. Always practice best practices and policies when performing a software source code audit.
As most software auditing tools are open source and may detect many vulnerabilities, alerts should be examined on a case by case basis. Some alerts may be false positives depending on what the application does, or if a certain component is internal and not subject to attack. A software technical audit & redevelopment can benefit greatly in starting the process.