Source Code Review for a Retail Chain in the UAE

Introduction

The Retail Business is one stretched line of industry functions operating under unique brand names in diverse locations. And for them, web or mobile applications prove a vital bridging element with the customers. The repository of critical data with global outreach and usage has always induced security concerns.

Security is a top asked question when it comes to application safety, fitness, and continuity in the long run. Also, the code review process marks a prior need while adhering to regulatory standards. The case study revolves around a source code review process for a retail chain in the UAE.

What exactly is a source code review?

From the security eyes, a secure source code review points to a specialized task implicating manual and automated inspection of a project codebase. It attempts to find out security-related weaknesses or flaws in a source code. Incorporating code review in the early stages of the project development helps improve code consistency, overall maintainability and productivity connected with the business application.

Requirements of the client

The client requirements for the engagement stood for: –

• Source code evaluation
• Compliance in line with industry standards

Challenges

A minor challenge that came across during the engagement process was while fetching codebase remotely. Communicating each stage in the secure code review process was done remotely due to the ongoing covid pandemic situation.

Used Strategy

• Threat Modeling

Our developing team initially studied the coding involved, existing threats and prioritized different parts of the code for the review. The process helped us identify the missing strings or weak code areas left open in the development phase.

• Code Analysis

The next phase was the code analysis phase, where our security analysts performed both automated and manual testing of the code.

• Automated analysis

Here, automated tools, such as, Checkmarx, Fortify, reviewed each sequence of the codebase, and yielded corresponding results. These results got checked and compared against the required outcome.

• Manual analysis

The specific manual code review technique involves line by line inspection of the code to discover logical errors, weak configurations, and insecure use of cryptography. Platform related issues also get spotted in manual code analysis.

• Reporting

We provided the client with an in-depth summary report of every identified vulnerability and business risk with a prioritized action plan for remediation. Our expert pen testing team provided the needed patching advisory and assistance for safe remediation efforts.

• Revalidation

After patching was completed from the customer end, it was time for revalidating how the remediation effort spanned. We checked for the closure of gaps and weaknesses, ensuring everything was upright in compliance with the required standards.

Results/ Outcomes

Numerous vulnerabilities were spotted and reported with criticality alongside a prioritized remediation roadmap for effective patching.

Web

• Reflected XSS All Clients
• Stored XSS
• SQL Injection
• Command Injection
• Deserialization of Untrusted Data
• File Inclusion
• Path Traversal
• Improper Neutralization of SQL Command
• Use Of Hardcoded Password
• Reflected File Download

Mobile (Android/iOS)

• Improper certificate validation
• Jailbreak file referenced by name
• Unchecked return value
• Exported service without permission
• Improper verification of intent by the broadcast receiver
• Input path not canonicalized
• Non-encrypted data storage
• Insecure data storage

Conclusion

Our secure code review services reflected several benefits for the client. It aligned in a way that client experienced top-class testing and advisory service with: –

• Easy identification of code bugs.
• Complete coverage of code flaws, weaknesses, and vulnerabilities.
• Enhanced code quality and efficiency.
• Improved maintainability and continuity.
• Easing the QA testing phase.
• Knowledge sharing & learning perspective.
• Effective documentation illustrating the process.

Every process conducted was done in line with the requirements of the standard regulations and norms connected to the specific industry. The engagement was a healthy reflection of dedicated team effort and communication. Each phase was well communicated and reported towards efficient patching of spotted vulnerabilities. The client successfully patched the gaps through the right mitigation path. The result was a healthy and positive engagement furnishing all client requirements.