Comsec Consulting Launches CODEFENDTM Security Code Review Service
July 2009 by Marc Jacob
Comsec Consulting, a European market providing information security consulting services, launches a new application security service which combines technology and expert human analysis, for Outsourced Security Code Review and Threat Identification.
CODEFENDTM is an on-demand service allowing developers to securely send their non-compiled code to Comsec, where it is analysed for security vulnerabilities and threats. Fusing the latest generation of code analysis tools, customised rules and Comsec’s proprietary methodologies, the service delivers more accurate reporting and identifies vulnerabilities not routinely picked up when using a ‘tool only’ approach.
To avoid excessive code re-write costs, or the risk of releasing solutions to the market with known vulnerabilities flagged up in routine penetration testing, enterprises have started to implement Security Development Lifecycles (SDLC), which combines threat assessments, training and code reviews throughout the code or system integration development. As part of SDLC, many companies have purchased costly licenses of code review software, which often require excessive customisation by the code development team and commonly produce great numbers of false positives, combining to increase the burden on the developers.
With its broad technological support, logistical and financial flexibility, provided as hassle-free solution as a service, CODEFENDTM streamlines application security testing and code review processes, delivering the following benefits:
Potential to reduce code re-write costs by as much as 50%
More cost efficient than purchasing in-house tools with quicker response and results
Developers can dynamically publish their code for review, with the service optimised for C#, VB.Net, C, PHP, Java, Javascript, and C++
Able to find common vulnerabilities, such as those identified in the OWASP (Open Web Application Security Project) Top Ten and CWE/SANS Institute (Common Weakness Enumeration & SysAdmin, Audit, Network, Security) Top 25
Able to find complex vulnerabilities, such as Stored XSS, Authorization and Authentication Bypass, Race Conditions, Injections (XML, LDAP, SQL, Malicious Code) and Filter Evasions
Business Logic Flaws can be detected by the CODEFENDTM analysis team
False positives are eliminated by the CODEFENDTM analysis team
Migrating to this new service does not mean completely abandoning previous investment in security code review, as “CODEFENDTM affords the opportunity of capitalising on previous investments in bespoke scripting, and knowledge gathered about systems and applications to provide greater return on investment in the long run, and more efficiency over time.