Secure Code Review Quote
Cyber Security

Importance of Code Review and its Best Practices

by William Fieldhouse
written by William Fieldhouse

In a code review, programmers check each other’s code for mistakes and provide recommendations. Regardless of the methods a team chooses for code reviews, there are many important benefits that can be achieved by reviewing and examining code.

Importance of Code Review

The key benefit of code review is mentorship. Every individual in the team possesses some bits of knowledge that the others don’t have. By showing code to others, one can learn new tips and tricks of the coding process. It can also expose one to different approaches of solving a problem and helps expand the ways to tackle similar issues in the future.

The most important reason to seek out code reviews is for finding defects early on in the development process. It’s better to have two sets of eyes than one. With an extra pair of eyes to review the code, it is more likely to have lesser defects in the code before it is pushed into the repository.

How to Review Code

Code reviews are all about collaboration, not about competition.

Follow these five best practices for conducting successful code reviews.

  1. Look for Key Things in a Review

These include style, structure, performance, logic, design, functionality, readability, and test coverage. Some of these can be checked through automation, such as structure, but others such as functionality need a human to review.

  1. Build and test before the review

Before conducting a manual review, it is important to build and test. Doing automated test helps cut down errors and saves time.

  1. Review code for a maximum of one hour at one time

Going beyond this timeline tends to reduce attention-to-detail and performance. It is advisable to conduct frequent reviews with shorter intervals instead. By taking a break, the brain gets a chance to reset and helps perform better reviews.

  1. Check 400 lines of code at the most

Again, reviewing too many lines of code can result in lesser probability to find defects. Each review should be kept for 400 lines or lesser. This limit is significant for the same reasons as setting time limits.

  1. Give constructive feedback

Instead of being critical in feedback, a better approach is to be constructive. Point out the issues and suggest ways of improvement. Ask questions instead of making statements, and praise alongside the feedback.

If you are looking for a code review quote, Aardwolf security can help fulfil your requirement with one of our experienced pen testers. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
Network assessment
Cyber Security

Network Assessment Checklist

by Tashina
written by Tashina

As a business grows, it often needs to expand its IT networks for accessing and providing increased functionality. In doing so, many times a business may overlook optimal practices and security requirements. Network assessment can help a business gain visibility into IT issues, to rectify them before they affect the business performance.

What is Network Assessment?

Network assessments help in exposing IT security and network issues and allow to generate reports that outline the rectification steps. A network assessment report should be clear and comprehensive, and based on the key findings of the assessment. A good report also includes SWOT analysis of the network.

Network Assessment Checklist

To ensure the dependability and functionality of your business network, it is important to conduct a regular network assessments. Hence, it is best to make this a priority, or the network will likely not perform as expected. To make it easier, this checklist outlines the important components should be a part of network assessments.

Assessing Bring Your Own Device (BYOD) Policy

BYOD is now an unavoidable phenomenon. Even with restrictions, it is likely that the staff will need to bring their personal devices to work, and connect them to the organisation’s network. Thus, potentially resulting in slower speeds, increased bandwidth demands, and potential security vulnerabilities.

To overcome these issues, there should be clear and detailed policies for BYOD. When assessing the policy, it is important to consider unknown hardware, unapproved third-party applications, and the connected devices along with the vulnerabilities created by them.

Assessing Network Security Vulnerability

Cybersecurity vulnerabilities are common way for hackers to exploit and gain access to networks. They can exist in hardware, software, or even the physical environment. Some of these are easily resolvable, but others require a professional network assessment for identification and patching. It is best to address common vulnerabilities such as outdated security patches and poor password management practices.

Assessing Network Bandwidth Demand

Networks have limited bandwidth to be shared among the users. Thus, by monitoring how bandwidth is distributed and used, it is easy to determine if the network needs expansion, or if one needs to address individual devices and applications.

Network Infrastructure Assessment

This includes assessing the system’s software and hardware components. Software includes applications, firewalls, and operating systems. Hardware includes access points, switches, and cables. To establish a healthy infrastructure, it is necessary to examine bandwidth patterns and update patches.

Network Files and Data Security Assessment

Data security contributes towards overall network security. It is best to asses how the business gathers, stores, accesses, and distributes confidential information. Data that is poorly secured can quickly become a vulnerability and can expose a business to regulatory issues. It’s also imperative to manage who has access to what.

If you would like to have professional and thorough network assessment for your enterprise, contact Aardwolf Security to find how we can be assistance.

0 comment
FacebookTwitterLinkedinEmail
Secure Code Review Quote
Cyber Security

Secure Code Review Checklist

by Tashina
written by Tashina

A code review is conducted after a developer finishes working on a piece of code, another developer then analyses it for obvious logical errors in the code?, are all requirements met?, are automated tests sufficient for the code, is there a need to change existing automated tests?, is the code in conformity with current guidelines?

When conducting a code review, it is important to keep it aligned with the existing team processes. Here is a checklist for conducting a code review successfully.

Divide Review into Time Slots

Experts don’t recommend to review the entire project at once. One should not review more than 400 lines of code at one time. Furthermore, one check should not take more than one hour. This recommendation is based on the fact that humans are unable to process a large amount of information for longer time periods. Going beyond this mark can decrease the ability to detect bugs, and cause a reviewer to miss critical errors.

Ask Team Members for Help

The review quality can be increased if there are more people reviewing. Using different tools, one can assign reviewers from the team and discuss chosen source code lines. Performing code review collaboratively not only enhances the code but also the team’s expertise by sharing knowledge and discussing changes.

Develop Metrics

When starting the review, it is best to set up goals such as “reduce the defects by 50 percent.” It is important to develop measurable goals instead of generic ones like “to find more bugs”. Also gather metrics like number of bugs detected per hour, speed of review, and average bugs per line of code. Tracking review performance constantly can show a true picture of inner processes.

Keep a Positive Approach

A code review can sometimes cause relationships within the team to strain. This is why it is important to keep the criticism positive and friendly to ensure that the coworkers remain motivated.

Set Up a Process for Fixing Bugs

Once the code review is done, there should be a process for fixing all the bugs found. It is important to discuss bugs with the creator (unless one is reviewing the code for another team), and get the changes approved before submitting them into the source code.

Secure Code Review Quote

If you are looking for a secure code review quote, Aardwolf security can help fulfil your requirement with one of our experienced developers/pen testers. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
What is Cross-site request forgery
Cyber Security

What is Cross-Site Request Forgery and How Does it Work?

by Tashina
written by Tashina

Cross-Site Request Forgery, or CSRF is an attack that forcefully makes an authenticated user submit a malicious request against a Web application they are authenticated to. This attack intends to exploit the trust of a Web application on an authenticated user. The aim of the attacker behind conducting a CSRF attack is to make users submit a request for changing the state.

For example:

  • Submitting a transaction
  • Changing a password
  • Deleting or submitting a record
  • Sending a message
  • Purchasing a product

Attackers often launch CSRF attacks using social engineering methods. They trick a victim by making them click a malicious URL that sends an unauthorised request for a web app. The victim then sends said malicious request to a particular web application. It also includes website-related credentials such as session cookies. When a user has an active connection with the targeted application, it treats the new request like an authorised request by the victim. This makes the attack successful.

How does Cross-Site Request Forgery Work?

Cross-site Request Forgery attack targets those web applications that cannot distinguish between valid and forged requests. An attacker can use many methods to exploit a vulnerability in an application to conduct CSRF.

Let’s consider an example. Brian has an online account and visits his bank website regularly to carry out transactions with his brother David. He is not aware that his bank’s website is vulnerable to CSRF attacks. A hacker plans to send £10,000 from Brian’s account by exploiting the vulnerability. To launch an attack successfully,

  • The attacker will create an exploit URL
  • They will trick Brian by making him click the exploit URL
  • Brian must be in an active session with the website when the attacker launches the attack.

By using different attack methods through social engineering, the attacker tricks Brian into loading the infected URL. They can do this by putting a malicious URL on pages the user often accesses while logged in, including malicious HTML images into a form, or by simply sending an email with a malicious URL.

The Limitations

However, there are certain limitations for carrying out a successful CSRF attack. A CSRF attack’s success mainly depends upon a user’s active session with the vulnerable application. If the user is not in an active session, the attack cannot be successful. Moreover, the attacker needs to find a valid URL for crafting it maliciously. This URL must be able to change the state of the target application. They must also find the correct URL parameter values, or the target application may possibly not accept the malicious request.

Web Application Penetration Testing Quote

If you are looking for a web application pen test quote, Aardwolf security can help fulfil your requirement with one of our experienced pen testers. Get in touch today to find out more or use our penetration test quote form.

0 comment
FacebookTwitterLinkedinEmail
Cyber Security

What is a Code Review?

by Tashina
written by Tashina

Simply put, a code review, or peer code review, is the act of systematically checking code of peers to point out mistakes. It has been shown to streamline and accelerate the software development process. Though software developers often depend on automated testing for code reviews, manual review of code by peers yields better chances of correction.

Whether one is a programmer or a software development manager, it is imperative to realise the importance of code reviews. When done in a correct manner, peer review saves time by streamlining the development and reducing the amount of work required later by QA teams. Code reviews also save money in the long run by catching bugs that may go undetected during testing and potentially production.

Whereas saving money and time are important concerns for a business in the software development industry, code review also fosters greater communication between coworkers, distributes sense of ownership for a piece of code, and provides invaluable educational context for junior developers. Senior colleagues demonstrate better methods to write clean code and solve problems with useful shortcuts while identifying issues like buffer overflows, memory leaks, and scalability.

Understanding Code Review

A code reviewer reads the code line by line to look for any flaws or potential flaws, quality of comments, consistency with overall program design, and adhering to coding standards.

Code reviews are especially productive for finding security vulnerabilities. There are special applications that aid with the process. It helps with testing the source code systematically for potential trouble such as race condition(s), buffer overflow(s), size violations, memory leakage, and duplicate statements. Code reviews are also important for testing the quality of security patches.

Code review process consist of the following stages:

  • Identifying more efficient ways to complete a task by considering best practices
  • Detecting logical errors
  • Identifying the vulnerabilities in the code
  • Reviewing code to detect any potential malware and to find backdoors integrated into the software

What to Look for in a Code Review

It is important to consider the following points when conducting a code review:

Design

Consider the overall design of the code. Look for answers to questions like do the interactions between different pieces of code make sense? Does the change belong to your library or codebase? Does it integrate with rest of your system? Is it a good time to add a particular functionality?

Functionality

Is the code serving the purpose for which we created it? Does it cater to all the requirements? Is it user-friendly?

Complexity

Is the code more complex than it is supposed to be? It is best to check this at every level of the code to see if individual lines are too complex. What about the functions and classes? The term “too complex” usually means that code readers cannot easily understand it.

Aardwolf Security team helps with code reviews to ensure that a business is not exposed to vulnerabilities.

Secure Code Review Quote

If you are looking for a code review quote, Aardwolf security can help fulfil your requirement with one of our experienced developers and testers. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
Network penetration testing company
Cyber Security

5 Things Your Network Assessment Should Include

by Tashina
written by Tashina

Businesses should conduct regular network assessments to ensure that their IT processes are performing efficiently. From identifying obsolete hardware and software to improving security and devising disaster plans, a well-designed network assessment makes sure that business productivity can continue to be maximised.

Here are 5 things a good network assessment must include:

Network Inventory

The first step is to know how the network is equipped, structured, and configured. Hence, one must know answers to questions like how many users are there?,  how old is the network software and hardware?,  are users accessing the network through few or many devices, and what exactly is the network used for?

Some businesses depend on their networks for accounting or communication. Others may also rely on their network for application development, ordering and inventory control, office collaboration, and project management.

A network assessment should examine network inventory and align its capabilities with the business. This helps ensure that the network is performing optimally without wasting many resources.

Security Assessment

With data breach numbers increasing every year, data security is integral to protect a business. A vulnerability can exist in any part of the network. It can be a result of an outdated network technology, insufficient firewall protection, unsecured web application, or poor passwords.

Conducting a security assessment uncovers potential issues before they arise, saves downtime, prevents data loss and ensures customer loyalty.

Network Performance Evaluation

Bandwidth limitation slows down performance and affects employee productivity. These bottlenecks can be a result of a number of causes such as large file transfers, backups at wrong times, content streaming, or faulty software and hardware configuration.

Network assessment can isolate the causes of slow network performance and helps determine the best way to get the network up and running efficiently and effectively.

Cloud Setup Evaluation

With more business setups moving to the cloud, it’s important to consider how to leverage the technology. Many organisations use cloud for file sharing and backup and recovery. In each case, it is important to cater to security. Some businesses such as Office 365 also run cloud-based applications.

In addition to security concerns, it is important to know how well the cloud setup works for specific needs of the business. Cloud assessment and evaluation can make overall network assessment more thorough.

Mobile Device Usage

For businesses that heavily rely on mobile devices such as smartphones and tablets, a network assessment helps reveal how the mobile device usage relates to the network. Though some mobile devices work efficiently, but can pose security threats as well. A network assessment that evaluates mobile usage while adhering to security concerns goes a long way towards making the business network more reliable.

Network Pen Test Quotation

If you are looking for a network pen test quote, Aardwolf security can help fulfil your requirement. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
network pen test quote
Cyber Security

What is a Network Assessment and Why Do You Need One?

by Tashina
written by Tashina

Have you ever considered a network assessment for your business but are not sure what exactly it does and how it benefits your business?

A network assessment is a detailed report and analysis of an organisation’s IT infrastructure, security, processes, management, and performance. The purpose of an assessment is to identify the areas that need improvement and to get a detailed overview of a network’s current state. Thus, helping companies in making informed business decisions.

A network assessment may be needed when either an organisation’s IT assets have grown and need regular monitoring, or when one or more of the IT components have started malfunctioning.

Network Assessment: Does My Business Need One?

Let’s have a look at how network assessments can benefit a business

1. In-Depth Analysis of IT Infrastructure

From topology maps to traffic patterns, it can help in making informed decisions about network upgrades and maintenance. The IT team can ensure that systems are working optimally by gaining insight into weaknesses and capabilities and maintenance of current network assets.

2. Creating a Strategic Roadmap

After gaining visibility into the current state, the IT team can consolidate, simplify and automate the network. It is easier to move forward with a  clear roadmap to a virtualised, modern and software-defined infrastructure. In turn, this saves time and the team can focus on other strategic activities.

3. Improvement in Security

Without having complete visibility into the network, it is not easy to defend against cyberattacks.  A Network assessment also uncovers how people and processes interact with the network. It helps design a preventive and proactive security strategy for the organisation.

4. Potential to Save Costs

In a conventional computing environment, capacity is provisioned on the basis of estimated resource requirements. Hence, it often often results in expensive resources being idle or in not having enough capacity. Furthermore, network assessments help design new network architectures including cloud computing. Thus, cloud allows the usage of as much or as little capacity as required and only paying for the resources you utilise.

5. Identification of Protocol Enhancements

A network assessment exposes vulnerabilities in current systems and uncovers opportunities to improve. For example, when accessing data on a flat network, a data breach can quickly spread. By segmenting the network, the attack has limited impact.

A third-party service partner that conducts a network assessment can provide objective unbiased recommendations. Thus helping to achieve improved security and capacity planning.

Network Pen Test Quote

If you are looking for a network penetration test quote, Aardwolf security can fulfil your requirement. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
Mobile Application Penetration Test Quote
Cyber Security

The Mobile Application Penetration Testing Methodology

by Tashina
written by Tashina

The Mobile Application Penetration Testing Methodology shifts its focus from conventional application security, according to which the threat primarily originates from internet.

A Mobile Application Penetration Testing Methodology focuses on file systems, client security, network security and hardware. Thus, it considers that end user has the device’s control.

Let’s have a brief overview of the four main stages of Mobile Application Penetration Testing Methodology.

1. Discovery

It requires the penetration tester to gather information essential for understanding events leading to mobile application exploitation. Hence, intelligence gathering is an important step of penetration testing. Moreover, discovering hidden indications that can expose any vulnerabilities can differ a successful test from an unsuccessful penetration test.

The discovery stage includes:

  • Open Source Intelligence – the penetration tester searches app information from the internet, through social networking websites, or search engines.
  • Platform Understanding – to develop threat modelling for the app, the pen tester needs to understand the mobile app platform. Thus, they take the company, the business case, stakeholders, and internal processes into account.
  • Server-Side vs Client-Side Scenarios –  a penetration tester should understand the application type, such as web, native or hybrid, and work on test cases.

2. Assessment

Assessment or analysis involves the pen tester to go through the source code to identify any potential weaknesses or entry points. This process is unique since the penetration tester has to check the apps while installing them.

Different assessment methods include:

  • Local File Analysis – Penetration tester checks local files in the file system to check for any violations.
  • Archive Analysis – pen tester extracts iOS and Android application installation packages. Then, they review them to see if there are any modifications.
  • Reverse Engineering – it involves converting compiled apps into readable code.

3. Exploitation

The penetration tester leverages the vulnerabilities they have discovered. Based on the information they have, they will launch their attack. Hence, a thorough intelligence gathering has higher chances of successful exploitation that leads to a successful penetration test.

During exploitation stage, the pen tester tries to exploit the vulnerabilities to gain important information and carry out malicious activities. Furthermore, they undergo privilege escalation in order to elevate privileged users for avoiding restrictions on their activity. Moreover, the penetration tester executes modules that permit to backdoor the device for performing access in future.

4. Reporting

The final stage of this methodology is reporting. It involves presenting all the issues to the management. Also, this is the stage that differentiates a penetration test from a real attack.

The Mobile Application Penetration Testing Methodology is vendor neutral and takes mobile characteristics into consideration. It helps to improve repeatability and transparency for mobile penetration testing.

Mobile Application Pen Test Quote

If you are looking for a mobile application pen test quote, Aardwolf security can fulfil your requirement. Get in touch today to find out more or use our interactive pen test quote form.

1 comment
FacebookTwitterLinkedinEmail
web application pen test quote
Cyber Security

Web Application Security, How Does it Work?

by Tashina
written by Tashina

What is Web Application Security?

Web application security in its basic form is the idea of ensuring websites function as expected from a security perspective. It includes a collection of security controls that are engineered into a web application for protecting its assets from potential threats.

Like any other software, web applications can also contain bugs and vulnerabilities. Some of these issues can be actual vulnerabilities that you can exploit. These can pose serious risks to the organisation. Web application penetration testing can defend your organisation against such vulnerabilities.

Why is Web Application Security Important?

Web application security testing primarily targets the application layer to see what runs on HTTP. A pen tester sends different inputs to provoke errors, and tries to see the behaviour of the system. These tests intend to check if the system is showing any unusual behaviour, or doing something that it is not designed to do.

Another important thing to consider is that web security testing is not just about testing security features such as authorisation and authentication. It is also important to test that one has implemented all other features securely. For instance, using correct input validation and output encoding. The ultimate goal is to test that all exposed features in the web application are secure.

How Does Web App Security Testing Reduce Risks for my Organization?

Some common web application attacks include cross site scripting, SQL injections, path traversal or remote command execution. These attacks can result in compromised user accounts, access to restricted content, installation of malicious code, and much more.

If you know the different attacks your application can face along with their outcomes, you can proactively address these vulnerabilities and conduct your tests accurately. By determining the root cause of vulnerabilities, you can implement mitigation controls during early stages of your SDLC. Furthermore, have knowledge of how the attacks work can help you target known interest points during a web app security test.

Another key to managing risk is to recognise the impact of attack. By identifying issues during a web security test, your organisation can prioritise its remediation efforts. Before identifying an issue, evaluate potential impact against each application. With a list of high-profile applications, you can schedule web application security testing to target the critical applications first with prioritised testing.

Web Application Pen Test Quote

If you are looking for a web application pen test quote, Aardwolf security can fulfil your requirement. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
black box pen test quote
Cyber Security

Black Box Red Teaming: Proxy, Virtual Private Network or TOR

by Tashina
written by Tashina

Often when conducting penetration tests, there is a need to carry out full-fledged black box testing. This is where a security professional has to deal with firewalls or other restriction mechanisms on the customer’s end. This can be an interference as penetration testers try executing checks which may be blocked periodically by, for instance, user-agent or IP address.

If there wasn’t a gray or white box testing model and our IP is not whitelisted, what can be done to bypass limitations regulated by a customer? There’s of course the possibility to evade limitations by switching our user-agent and IP address.

When we talk about user-agent, it’s easier as you may only need to install a plugin for your web browser, or switch agent in your script through a particular function. But what about the IP address? Let’s look at the pros and cons of some available methods that you can use to hide your IP address, mask your activities, evade firewalls and bypass bans.

What is a Proxy Server

Proxy servers have several forms.

HTTP relays GET/POST request. It can add your IP address to request header and store your entire history of interaction with the site.

Pros

  • Supported by almost every browser
  • Anonymity (if used properly)
  • DNS query on behalf of server

Cons

  • Works for HTTP protocol only
  • Server history
  • Can filter and replace data with proxy server

For a SOCKS Proxy, the browser will open TCP (sometimes UDP) sockets on the server’s behalf. Depending on the browser, you can also use the local DNS server and the site can track you by issuing a unique name for every request and remembering the addresses from where the DNS queries come.

Pros

  • Anonymity (when used correctly)
  • DNS queries on server’s behalf (Chrome)
  • Can forward an arbitrary TCP connection (for instance, SSH)

Cons

  • DNS queries on client’s behalf (Firefox)
  • Server history
  • Can filter and replace data with proxy server

What is a Virtual Private Network

A VPN allows a user to send and receive any data across public or shared networks. Hence, applications that run on a device across a Virtual Private Network can take advantage from the security, management and functionality of the private network. When using a VPN, the most common solution is an OpenVPN. It provides many features such as the possibility to work through UDP, undergoing NAT using SSL/TLS, split tunnelling and much more.

Pros

  • More reliable
  • Higher capability
  • Better encryption
  • Can be used as a VPN inside a VPN
  • Easier to use with a large number of tools

Cons

  • One IP for everything
  • Takes longer to connect
  • Hard to switch IPs

What is TOR

Tor network is an anonymising technology to help you get access to Tor network along with hiding your real IP address. You can either install the Tor browser or run your Tor service on a remote server used as a proxy.

You can switch your IP by using the option provided in your browser or by restarting your server’s Tor service

Pros

  • Free
  • Easy to use
  • Quick with changing locations and IPs

Cons

  • Anyone on the exit node is able to monitor your traffic
  • You cannot use Tor the same way as proxy. It’s more like the VPN method

Black box penetration test quote

Whether you are looking for a whitebox or blackbox assessment, Aardwolf security can fulfill your requirement. Get in touch today to find out more or use our interactive pen test quote form.

0 comment
FacebookTwitterLinkedinEmail
Newer Posts
Older Posts