Code security audits

Code security audits

The methodology we follow focuses on the manual analysis of the most critical modules involving user interactions, and then on the automatic analysis of the entire codebase. We also assess the ease of maintenance, the readability and the quality of the code.

The following aspects are taken into account.

It is of utmost important to eliminate the possibility of any code injection, that an attacker could use to alter the normal flow of command execution and access any restricted data or the underlying system. As such, an application must (amongst other things):

  • filter user inputs and escape special characters specifics to the used underlying code language. For instance, when dealing with SQL, characters such as *'"% must absolutely be removed before the request based on the input is executed
  • systematically use stored procedures to build SQL requests
  • reduce to the strict minimum the rights granted to the account used by the application to connect to the backend database

Amongst the various controls we do to ensure the quality of the partitioning of the user authentications and sessions within the audited application, one can find:

  • Securing session cookies
  • implementation of non-verbose error messages on the user interfaces

Applications often use resources identifiers within the generated web pages. If no control is done when a resource access is requested, a non-secure direct reference issue can happen. Algosecure will prevent such type of attacks:

  • by implementing only in-direct references, per user and per session
  • for each attempt of such a direct reference, by checking that the user is granted with the appropriate rights to access the resource

An attacker can try to use default accounts, access un-used pages, use non-patched vulnerabilities, files and folders available without any prior authentication step, or non crypted information.

It is therefore paramount to ensure the quality of the security configuration, and an adequate setup allowing the protection of the data and resources exposed on the network.

General hardening rules:

  • account security
  • no default account left
  • no test account left on production systems
  • each account must be validated by a complex password
  • de-activation of non-necessary services
  • accurate rights set on files and folders
  • verification that the hardening rules are following the highest standards

Sensitive data (such as Personally Identifiable Information (PII), passwords, payroll, etc...) must be crypted prior to be stored. Algosecure will assess the strength of the encryption algorithm, and will check that:

  • data and backups are encrypted
  • strong keys and state-of-art encryption algorithm are used
  • keys and passwords are protected against non-authorized access.


You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.