Code Review Methodology

1. Write the Report

1.1. Findings

1.2. Solutions and fixes

2. Verify the Flaws

2.1. Verify exploitation by testing complete flow of application.

2.2. Re-verify findings dynamically if possible

2.3. Take screen shots of code snippets

2.4. Ensure the snippets are clear and understandable and tell the story

3. Analyze the Code

3.1. Dissect the pages, classes, settings and utilize checklists and code review guidelines on how best to find each vulnerability.

4. Code Review Plan

4.1. Map each threat to pages, classes, or config settings. Checklists has been shared with relevant people for review

4.2. Pick relevant tests from our relevant checklists (.net / J2EE PHP , etc)

5. Study the Application

5.1. Study about the application features and modules

5.2. Understand the functions and functionalities of the app

5.3. Do a thorugh site walk through

5.4. Read the every available manuals and app documentation

5.5. Schedule call with developers and prepare questionnaires and interview them

6. Create Application Threat Profile

6.1. Create a list of known threats and previously discovered vulnerabilities

6.2. Brainstorm on additional risks

7. Study Code Layout

7.1. Get familiar with the pages, forms and classes within the app

7.2. Identify critical classes: authentication, authorization, logging, etc