It is well known that eliminating software bugs and vulnerabilities at the requirements stage can reduce the cost of remedial action over one hundred-fold compared to remedial action after the event. The ideal solution is for the code to be written under a software development lifecycle (SDLC) which includes regular code review throughout the cycle, rather than testing as a one-off exercise just before going live. Unfortunately, the cost of true threat modelling is prohibitive for most organisations, other than the largest software vendors or financial institutions.
Not only are fixes less costly the earlier they are addressed, but early review results in fewer fixes being required in the future. Manual code review alone can be expensive, and is usually conducted on a sample basis; it will pick up issues that automated tools are unable to, but only for the samples selected. Covering the whole of the code set, automated source code analysis tools tend to be a significant investment which usually only large scale development projects can afford; many are also prone to higher levels of false positives and are naturally limited in their ability to pick up more complex issues that would be detected by manual review.
Commissum’s blended approach, a combination of managed source code analysis and manual review, aligned to your organisation’s software development lifecycle, offers a cost-effective alternative approach that can run in parallel throughout the development cycle. Commissum’s service offers a comprehensive, accurate and targeted method of detecting potential security vulnerabilities while the code is still in the development stage.
When combined with our CREST standard Application Penetration Testing prior to go live and after significant changes, and then regular Monthly or Quarterly Application Scanning, security is built in to the process, not merely added on. This also meets the requirements for compliance with PCI DSS.
Find out how Commissum’s blended code review can support you throughout the software development lifecycle.