Secure Code Analysis
Service Overview ⫘
Secureworks will perform static code analysis by our experienced team of consultants using a combination of manual review and automated technology to scan the application source code unveiling security vulnerabilities for a number of coding languages including:
- PHP
- Java
- C# .NET
- C++
- JS
- ASP.NET
- VB.NET
- Python
- Android
- Objective C
- Perl
- HTML
- MS Visual Basic
- SQL
- Ruby
Service Methodology ⫘
After automated scanning is completed, a thorough manual review and examination is performed against the software being analyzed in order to achieve the following:
- Review data flow to determine critical junctions that can be fixed and eliminate vulnerabilities
- Analyze parameters and attack vectors
- Correlate secure coding gaps to secure coding best practices
- Provide remediation guidance and recommendations
As part of this process Secureworks will have access to the source code for the targeted application(s) in order to properly analyze within the Secureworks lab environment.
Testing will include examination of software for a number of vulnerabilities including, but not limited to:
- Elevation of privilege exploits
- Buffer Overflows
- Race conditions
- Session management
- Authentication/Authorization
- Repudiation/Logging vulnerabilities
- Data Security Safeguards/Encryption
- Secure Communication Channels
- SQL injection
- Code injection
- Session Fixation
- Un-validated Input
- File Upload
- Cross-Site Scripting (XSS)
Remediation Validation:
Secureworks will conduct one remediation validation (RV) for only the high- and critical-severity findings listed in the final report. After the final report is delivered, you have 90 days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. You must submit the RV request through email to the Secureworks point of contact for the Web Service Test within thirty (30) days of delivery of the final report or the RV is forfeited. Secureworks will issue a brief report summarizing the results of the RV, which will include information about whether you successfully remediated the issues.
Note: Secureworks only conducts RVs remotely, regardless of whether the Web Service Test was conducted on-site.
Outcome ⫘
Secureworks will issue a report to your organization after completing the test. The report may include the following:
- Executive summary
- Methods, detailed findings, narratives, and recommendations if any
- Attachments as needed for relevant details and supporting data
Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before expiration of the review period, the report will be deemed final.
Upon completion of the Service, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by Customer-designated contact, within five (5) business days of such email confirmation, the Service shall be deemed complete.
Scoping Information ⫘
Scope | Description |
---|---|
Secure Code Analysis - Small | Up to 25,000 lines of code |
Secure Code Analysis - Medium | 25,000 - 50,000 lines of code |
Secure Code Analysis - Large | 50,000 - 100,000 lines of code |
Scoping Tips: Lines of code (LOC) refers to the total number of executable lines of code within the entire code base to be scanned. The total LOC excludes comments, documentation, style sheets, or any other typical content that is not related to program execution of the target application.
Work is conducted remotely during business hours of the Secureworks consultant.