, , ,

Think You Can Get Away Without a Code Review? Think Again.

Written By

Capsicum Group

When discussing security options with our clients, we frequently hear them dismiss code review as an unnecessary extra. However, that perception couldn’t be further from the truth. Code review, a process in which software code is inspected for vulnerabilities before, during and after its implementation, is a necessary part of any cybersecurity strategy, especially if your company is about to implement a new program.

Although code writers are often brilliant scientists and artists, they may not be security specialists, and inevitably this can lead to mistakes. Coding errors made in the development process, such as buffer overflow, create weaknesses that could later be exploited by data thieves, employee saboteurs or other malicious parties. One such weakness recently made headlines, when network equipment manufacturer Juniper Networks, Inc. announced that it had found an unauthorized “back door” in firewall software after its release, which left users vulnerable to attacks, prompting other manufacturers to perform extensive code reviews of their own software.

According to IBM, 95% of all security incidents involve human error, which should give any developer pause before implementing software that has not been reviewed. In many cases, whether the software in question is a mass-market program about to be packaged or a custom application developed in-house, its well-intended developers often run an automated code review to scan for anomalies. However, this standard practice is rarely enough to catch every error. A task of such complexity requires a human touch—but it also requires a commitment of significant time and manpower, which may not readily have on hand.

That’s where Capsicum Group comes in. While software code is often vast, and reviewing such an extensive amount of programs can be daunting for your development team, Capsicum’s cybersecurity experts have experience in using a combination of automated tools and intelligent methods to find and repair code errors that would otherwise put your company at risk for cyberattacks. Our team includes code writers and developers certified in “ethical hacking,” a process in which we test vulnerabilities by infiltrating them the same way a malicious hacker might, but without any of the negative consequences.

Recently, we proved just how necessary a code review is for a business’s cybersecurity plan. This particular client hired us as they were rolling out a customized program. But when we tried to convince them that their roll out wouldn’t be complete—not to mention, safe—without a code review, the C-suite collectively shook their heads. Politely, they declined our offer, insisting that they didn’t think it was necessary. Concerned about the security of our client’s sensitive information, we offered to show them why a code review could mean the difference between peace of mind and hours of stressful, expensive damage control.

After asking for just a little bit of leeway, we assigned a team member to review the code and look for potential vulnerabilities. Sure enough, our team quickly found not just one but several vulnerabilities that were wide open to attack by data thieves and other bad actors. Using one of the program’s prominent loopholes, we staged an innocuous invasion: we ethically hacked the CEO’s calendar (it took only a little longer to do so than it did to log into our own Gmail accounts) and documented a few small, but noteworthy upcoming calendar items.

During a subsequent conversation with the CEO, we brought up the scheduled items that we had jotted down. It didn’t take long for the CEO to realize that we had successfully accessed his calendar to retrieve this information. Of course, Capsicum’s actions were innocuous and in no way interfered with the CEO’s existing schedule—but the same code vulnerability could easily be used by malicious hackers looking to steal trade secrets or just wreak mischief. To no one’s surprise, the CEO conceded that a full review was necessary after all. We quickly got to work and fixed the vulnerability that allowed us to hack his calendar, as well as the other vulnerabilities that would have left the company wide open to cyberattacks.

Let’s make something clear: writing code is a growing, specialized profession that attracts some of the best and brightest in the tech industry. The way that companies implement code, whether custom-made or part of a commercial software package can cause issues even when these packages are straight “out of the box”. A code review performed by cybersecurity experts can point out vulnerabilities and code enhancements to ensure rock-solid protection against attacks. If you’re reconsidering your approach to cybersecurity, let the team of technology experts at Capsicum Group help you with code review and more.