Review Scope & Contents
Whitebox analysis of your software allows for the best application hardening and security assessment results. During such a whitebox review I will start with a kickoff workshop (remote or on-site) with members of your development team and discuss lots of security topics related to your architecture. My detailed question list, based on my developer and pentester experience, addresses important security aspects of your software.
Next, during the main part of the whitebox review, the source code (and configuration) is analyzed with a semi-automated and manual approach. This approach checks for many aspects including:
- Vulnerabilities in software architecture
- Vulnerabilities in critical business functions, like payment etc.
- Vulnerabilities in used components and dependencies
- Vulnerabilities in exposed and consumed communication interfaces
- Vulnerabilities in authentication and authorization
- Vulnerabilities in configuration management
- Vulnerabilities in session or token management
- Vulnerabilities in encryption and digital trust handling
- Vulnerabilities in logging and monitoring capabilities
- Vulnerabilities in error handling
- Vulnerabilities in transfer and storage of sensitive data
For data-flow relevant vulnerabilities a source-to-sink analysis will be performed to have as less false positives as possible in the report.
The resulting report of the found security issues includes detailed descriptions of the findings (along with all evidence collected) and mitigation advice to remediate each issue and tips to further harden your application. To better distribute the individual findings towards the relevant parties, I categorize all findings by function (development, operation, architecture, business) to which the finding applies.
After sending the report an on-site or remote debriefing meeting will be arranged to further discuss the report and any potential questions along with the team members assigned to remediate the findings.
This process can optionally be followed by a second check of remediated findings, which leads to an updated report.
All checks and tests can be executed remotely as well as on-site at your office location. As prerequisites the following input is required to start the whitebox analysis:
- Build-ready sourcecode including dependencies and build scripts
- Configuration settings of a production-like environment regarding the application
- In case containerization is used: Images as well as their creation declarations (Dockerfile or similar)