Latest News
- PCI compliance may be bitter pill to swallow, but it's for merchants' own good
- Google's financial incentives for vulnerability detection will be welcomed, but it may attract money-motivated non-technical people
- Credit card fraud expected to rise at Christmas
- BBC disability site detected as being vulnerable to a cross site scripting attack
- Organisations struggle to understand PCI DSS, call centre compliance
Click here to see more news.
Vulnerabilities
Click here to see more of ProCheckUp's published vulnerabilities.
Code Reviews
Coding errors can lead to threats and vulnerabilities in an application and its functions. Significant coding errors could result in the complete compromise of the server hosting the application. It is therefore important that reviews take place. Code reviews can be conducted on both Unix and Windows based languages.
Source Code Reviews - the most thorough form of penetration testing.
Penetration testing can be carried out in a number of ways including:
- Black box - No information is given and we have to perform the test effectively as a hacker without inside information.
- Grey Box - A certain amount of information is given, that allows the tester to go a step further in the penetration test.
- White Box - Is when all information is given including the source code allowing us to replicate the environment. This is the type of testing where we perform a source code review.
ProCheckUp provide two methods of testing, decided according to the needs of your company. We then provide detailed reports of vulnerabilities found and guidance on how to approach these vulnerabilities and so protect your networks.
More about ProCheckUp's code review methodology.
What Procheckup do differently?
ProCheckUp performs a manual source level code review and discovers problems within the program being inspected, Procheckup then trains Prochecknet on the source code of all the programs, and Prochecknet then attacks all the programs based on how they are written. The Prochecknet attacks are able to uncover security issues between programs, which is difficult to do manually due to time constraints therefore providing the most in-depth code reviews on the market.
Why this work bests?
Manual Review - The value in a manual tester is that they are good at finding logical problems, they can look at something unusual and learn about it; therefore ensuring even obscure vulnerabilities are found. However there is a limit to the amount of source code a person can get through in a timely fashion.
Semi Automatic Review - Can go through more programme than a manual tester could in a substantially less time, it can therefore find more vulnerabilities on scale alone. It can be hard for man to guess a variation but computers can, again allowing a larger amount of source code to be review. However if it comes across a programme that it does not understand it will run a number of attempts and then move on.
Alone both systems can find approx 90% of vulnerabilities. The advantages and limitations of both mean the combining of the two makes for the most effective and thorough method of testing.
One large financial advisory organisation had regular black box penetration testing and was still being compromised. They went on to have a full source code review with ProCheckUp and to this date have not been compromised since. Read the full case study here.