Code Quality & Security Audit


Software code audit

In order to help investors manage quality and security risks associated with investing in a software company, our services can highlight any potential areas of concern.


What is a code audit?

A software code audit is a comprehensive analysis of source code in a programming project with the intent of checking for quality, discovering bugs, potential security breaches or violations of programming conventions.

Why should I perform a code audit?

If you are investing in a software company or buying software IP you will want to know if the code is of a good standard, is maintainable and if it is secure. We will help you to:

  • Understand how the code has been written and to what standard
  • Locate any existing and potential bugs
  • Find any potential security issues and vulnerabilities
  • Validate the current performance and scalability
  • Assess the code maintainability level


What we do

We can help determine quality of the source code which can be helpful in determining the value of the software product(s) in question.
We'll audit the code and produce a report detailing our general impressions, annotation and code quality. The reliability, vulnerabilities, maintainability and coverage will also be reviewed.

As part of our reporting we will deliver recommendations for the next 100 days post-transaction, which can help improve the process and delivery of the software.

OWASP code audit

We can produce a detailed code audit report fit for the CTO or head of development that will highlight areas of concern and rank them using the DREAD risk assessment model.


Dread risk assessment model

DREAD is part of a system for risk-assessing computer security threats. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

 

Security

Acquiring or investing in a software company can be risky. Our security researchers can review your source code to make sure there are no security flaws which would help a user of the software or website gain access to areas they should not, restricted databases, or the potential to include their own code on the website.

However, the actual purpose of code auditing is to check whether any functions or techniques are vulnerable. For example C/C++ strcpy () and strcat() can be vulnerable to buffer overflow, or web apps can allow XSS or SQL injection, along with many other potential risks including any client/server messaging.

Our web/app pen test can pick up any problems with web-facing applications, but a code-audit is more in-depth and can pick up potential issues which may not currently be visible to the front-end user.

Languages

We have delivered code audits in the following languages:
C#, C++, PHP, .Net, Python, Java, JavaScript, SQL, Ruby on Rails, iOS/Swift, Visual Basic.