Software Assessment and Code Review

Static Code Analysis
- Look at the code.
- Automatic using a tool.
- Manual without a tool. AKA Peer review
- https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers
Formal Method
- Machine-led
- Track code paths: branches, loops, unreachable code.
User Acceptance Testing (UAT)
- Beta versions
- (some) users become testers
- They will follow your guidelines… or not.
Regression Testing
- Happens for new code or features
- Make sure that the new code doesn’t break past code/features
Reverse engineering
- Deconstruct compiled code into source code
- Not always fully possible
- Three levels
  - Machine code (compiled)
  - Assembly code
  - High level code (programming in languages we know)
- For malware: sandbox. Safe place to detonate malware
- Against reverse engineering
  - Code obfuscation
  - Code encryption
Dynamic Analysis
- Debuggers
  - Pause execution, determine code branch, watch variables, etc
- Stress/load testing
  - Determine limits
- Fuzzing
  - Throw various inputs at your app
  - Focus on diversity, not quantity
- Types of fuzzing:
  - Application UI
  - Protocol
  - File format
- Burp Suite
Assessing Vulnerabiities in Code
- Authentication
- Injection flaws
- Authorization
- Error handling
- Encryption
- Auditing/logging
- Session flaws
- Insecure configurations

Last updated 2 years ago