Security code review service for threat identification

Comsec Consulting launched CODEFEND, a new application security service which combines technology and expert human analysis, for Outsourced Security Code Review and Threat Identification.

CODEFEND is an on-demand service allowing developers to securely send their non-compiled code to Comsec, where it is analysed for security vulnerabilities and threats. Fusing the latest generation of code analysis tools, customised rules and Comsec’s proprietary methodologies, the service delivers more accurate reporting and identifies vulnerabilities not routinely picked up when using a “tool only’ approach.

How does it work?

• The client uploads their source code, to the CODEFEND Security Code Review Center
• The code is extracted by the Comsec Security Experts and initial information is gathered regarding the code’s language, technology, structure, and business context through interaction with relevant personnel at your organization
• Custom CR Rules are developed based on the existing CODEFEND Rule Base and source code technology. In the event of a re-test, the predefined Custom Rules are uploaded
• The CR analysis process begins, following the uploading of the Source Code and Custom Rules to the CODEFENDTM processing servers
• The CODEFEND Security Experts perform a comprehensive analysis of the results to filter false positives, determine potential risk levels, and review suggested mitigations according to the application’s specific technological and business logic
• A final report is developed that provides a detailed description of the detected vulnerabilities, risk analysis, actionable recommendations, including technical details and actual code pieces, in a friendly and practical format

“It has long since been proven that security code review is the optimal solution for detecting software vulnerabilities, especially while still in the development phases. Until now, cost-efficiency considerations and delivery pressures did not allow for proper, comprehensive security code review to be applied across all industries and development organisations, and was often limited to the large software houses. Now, with multiple compliance standards, such as the Payment Card Industry’s Data Security Standards (PCI:DSS), there is a real demand for security services across all areas of development, including at source code level”, said Roy Harari, VP Business Development at Comsec.