# Software Assessment and Code Review * Static Code Analysis * Look at the code. * Automatic using a tool. * Manual without a tool. AKA Peer review * * Formal Method * Machine-led * Track code paths: branches, loops, unreachable code. * User Acceptance Testing (UAT) * Beta versions * (some) users become testers * They will follow your guidelines… or not. * Regression Testing * Happens for new code or features * Make sure that the new code doesn’t break past code/features * Reverse engineering * Deconstruct compiled code into source code * Not always fully possible * Three levels * Machine code (compiled) * Assembly code * High level code (programming in languages we know) * For malware: sandbox. Safe place to detonate malware * Against reverse engineering * Code obfuscation * Code encryption * Dynamic Analysis * Debuggers * Pause execution, determine code branch, watch variables, etc * Stress/load testing * Determine limits * Fuzzing * Throw various inputs at your app * Focus on diversity, not quantity * Types of fuzzing: * Application UI * Protocol * File format * Burp Suite * Assessing Vulnerabiities in Code * Authentication * Injection flaws * Authorization * Error handling * Encryption * Auditing/logging * Session flaws * Insecure configurations --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cysa.coantech.net/software-assessment-and-code-review.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.