How source code reviewing plays a crucial role in pentesting
- Blog
Source code reviewing has gained significant popularity as an analytical method in recent times. Often, the review of source code with a security perspective is not utilized extensively in security assessments or pentests. Some organizations believe that malicious hackers cannot access the source code or consider source code reviewing too costly.
At Hacksclusive, we strongly disagree with this opinion. It's not a matter of if you will be hacked, but when and how often. It is a reasonable assumption that, sooner or later, cybercriminals could access and potentially manipulate the source code. Reviewing the source code is the most effective and efficient way to identify as many vulnerabilities as possible. In this article, we delve into what source code review entails, its role in pentesting, its applications, and the advantages it offers.
Source Code reviewing and pentesting: a match made in heaven
You're likely familiar with pentesting, a term borrowed from English (penetration test), involving ethical hacking to expose vulnerabilities in devices, networks, servers, and/or applications. It's evident that not everything is visible on the surface. Vulnerabilities always exist, and if you're not actively searching for them, you won't notice until it's too late, resulting in a cyber attack or data breach. Ethical hackers are employed to penetrate IT infrastructure. If they breach through a vulnerability, it indicates a need to strengthen defenses in that specific area. In short, prevention is better than cure.
Source code reviewing is a component of pentesting, specifically a form of 'whitebox' pen testing where ethical hackers have full knowledge of an application, including access to the source code. Source code reviewing often occurs during the software development process, assessing the quality of the source code, and asking questions such as:
- Are coding standards applied, are security best practices used generically, and does the code not contain unnecessary rules?
- Is the code understandable, easily readable, and transferable?
From a security perspective, source code reviewing primarily examines whether the code contains insecure errors. The central question is, 'Are there weaknesses or errors that could lead to potential vulnerabilities?'
Normally, with source code review, you analyze the source code line by line. This is a time-consuming and labor-intensive process. A simple web application easily contains more than 10,000 lines of code, and complex applications may have over 1,000,000 lines of code. On average, the source code contains 10 errors per 1,000 lines of code. Fortunately, most errors are minor, but some can cause vulnerabilities that compromise the security of a device or application.
Hacksclusive has developed an effective and efficient approach for analyzing source code for security flaws and/or weak points in security. The approach combines hands-on pentesting with code review. Initially, the functionality and workflow of, for example, a web application are mapped out.
Next, the code of the most critical functionality, from a security perspective, is analyzed. Possible errors or weak points that could lead to vulnerabilities are then verified. This is an approach that could be called reverse engineering.
Finally, in consultation with developers, a smart search is conducted for similar errors or other weak points in the code. This way, many vulnerabilities can be identified efficiently.
Source code reviewing has lots of advantages
Analyzing your source code offers numerous advantages for both software developers and ethical hackers. Here are some key benefits:
- Provides In-Depth Insights: Source code reviewing provides the tester with in-depth insights into the internal workings of the system. This approach helps identify vulnerabilities that might be overlooked in blackbox and greybox pentests.
- Identifies Design Flaws: Source code reviewing aids in identifying design flaws within the system, such as incorrect input validation or insecure data storage. These design flaws can lead to severe security issues, which might be identified as individual instances in other testing approaches, but a code review provides a generic overview. Certain vulnerabilities often remain unknown or undiscovered.
- Validates Security Controls: Source code reviewing helps validate the effectiveness of security controls, such as access controls and authentication mechanisms. This approach assists in identifying weaknesses in these controls and improving their effectiveness.
- Clarifies Implementation of Complex Business Logic: It provides insight into the implementation of complex business logic, where various steps are needed to complete a process. This functionality often consumes a lot of time during hands-on testing. Access to the implementation allows an efficient evaluation of how input data and similar factors pass through the functions.
- Aids in Obtaining Security Accreditations: Many industry regulations and standards, such as GDPR, NIS2, ISO 27001, BIO, SOC 1&2, and SOC3, require regular security tests, including pentests with substantial knowledge of the software. Regular pentests can help organizations comply with these regulatory requirements.
- Prioritizes Remediation Efforts and Prevents Vulnerabilities: Source code reviewing helps organizations improve overall cybersecurity by identifying vulnerabilities and weak points in their systems, offering a picture of recurring issues. The findings from tests can be used to prioritize remediation efforts, allocate security resources, and implement effective security controls.
In summary, source code reviewing provides pentesters with a wealth of information when searching for vulnerabilities. It offers in-depth insights, identifies design flaws, validates security controls, helps comply with laws and regulations, and enhances overall cybersecurity.
“The more information you have as an ethical hacker, the more accurately you can pentest. That's why source code reviewing is a powerful method to deploy in hands-on testing”
Source code reviewing extends beyond web applications
Source code reviewing is applied to various digital assets such as web and mobile applications and firmware. It is a crucial aspect of the software development process that ensures code quality, maintainability, and security. Source code reviewing can be applied to the following digital assets.
Applications
Source code reviewing can be applied to examine the source code of (web) application software for security issues. This can be done in all common programming languages such as Java, PHP, Ruby on Rails, C, C++, Python, and JavaScript. Codes are checked for issues like cross-site scripting (XSS) and SQL injection.
Mobile apps
Mobile applications, typically iOS and Android, can also be reviewed. Common vulnerabilities here include insecure storage of sensitive data, hard-coded login credentials, and weak encryption.
Firmware
Firmware refers to the software embedded in hardware devices. When these devices are connected to the internet, they are also known as Internet of Things (IoT) applications, like printers, routers, and cameras. These devices are often targets for cyber attacks due to their internet connectivity and the often poorly secured simple hardware. Source code reviewing helps inspect the code of these devices, focusing on preventing weak passwords (e.g., due to poor default configurations), buffer overflows, code injection, and insecure network protocols.
Even Microsoft and Google face code issues
Anyone assuming that source code errors are exclusive to small and medium-sized businesses is mistaken. Source code errors have been a problem for tech giants like Microsoft and Google since day one. Code errors often translate to zero-day vulnerabilities, referring to vulnerabilities in software unknown to developers or without a fix. In the case of a zero-day leak, cybercriminals are aware of a code vulnerability before developers, hence the term 'zero days' to fix the error before exploitation. Microsoft recently dealt with a zero-day leak, and a few years ago, Google faced a zero-day vulnerability that was heavily exploited.
Source code reviewing could likely have prevented both errors. Is it then careless that companies like Microsoft and Google don't review their applications? Cynics might say so. The reality is that applications like the JavaScript engine and Microsoft Outlook contain so much code that there's often a need to choose which code gets reviewed and which doesn't. Fortunately, tools like Checkmarks and Gitlab exist to expedite code reviews.
Source Code Reviewing: The Ultimate Tool in Whitebox Pentesting
Source code reviewing and pentesting are not synonymous but are closely related. In-depth examinations of an application or device are almost incomplete without source code reviewing. By scrutinizing the core of the system, a pentester assesses and enhances the code's quality, consequently fortifying the cybersecurity of the application or software.
Despite its significant value, involving source code reviewing in pentests has its drawbacks. Unsurprisingly, analyzing the source code can be time-consuming. Moreover, sharing the source code with a pentest party requires a considerable level of trust. Therefore, for each pentest assignment, we evaluate whether source code reviewing is beneficial for our client, considering whether it aligns with the specified scope and budget. However, in our opinion, conducting pentests with extensive knowledge of the application or software leads to the most comprehensive insights.
Download our
deep-dive pentest white paper!
Learn all about penetration testing and receive 6 tips for defining the scope of your penetration test.