Security analysis of software source code

1
Audit of the source code of a VoIP telephone system
Short description of the system. Commercial secure VoIP system certified by the Israeli Ministry of Defense.

Technologies: modular architecture, web server, VoIP server, client applications for Windows, iOS, Android; DBMS: Oracle; programming languages: .NET, C / C#, Objective C, Java.

Total number of lines of source code: 1.2 million.

Objective: in white-box mode, conduct an independent security audit of the source code.

Solution. Automated static analysis had been performed by the customer. Therefore, we only used a manual security audit method. In the C code, unsafe memory functions were identified. They allowed buffer overflows and memory leaks. In mobile applications, logical errors were identified. They could allow hackers to intercept encryption keys using a MitM attack. We also identified architectural errors. They could allow hackers to use a DoS attack to block a subscriber. Detailed reports were compiled for executive management and technical specialists. The reports included descriptions of all problems that were found and recommendations for resolving them.

Duration of work: 2 months.

Conclusions. Despite the significant efforts of the customer to find the security problems in their system, using modern licensed security scanners of source code, our independent line-by-line audit of the code identified additional problems not detected by the customer. The elimination of these problems allowed the customer to raise the security of their application to a new level. They avoided compromising the confidential information of customers.

Learn more about security analysis of source code.
2
Audit of source code for an international payment system
A brief description of the system. Our customer's electronic wallets system allows their clients to replenish the balance using bank payment cards, PerfectMoney, WebMoney, LiqPay, SWIFT and other methods. Payment card information is not transmitted or stored. In the same way, money withdrawal is possible. The wallets are multi-currency, and it is possible to exchange one currency to another inside the system at internal rates. The system has an API for integration with merchants. The main target category of users consists of Forex brokers' clients. Additionally, mobile operators and electronic stores selling mobile phones and accessories are connected to the payment system.

Technologies: modular client-server distributed architecture, cloud hosting, DBMS: PostgreSQL, MySQL, GT.M, programming languages: C++, PHP, Go, Hack, Python, M, Java, JavaScript, Perl.

Total number of lines of source code: 1.8 million.

Objective. In white-box mode, find the flaws in the architecture, insecure use of code, system vulnerabilities, and penetration methods.

Solution. During the audit, first automated, then manual code analysis was used. We identified a large number of uninitialized variables, obsolete and insecure functions that work with memory, and insufficient input validation. In some places of the code, user input was used in SQL queries without validation. This allowed us to perform SQL injection attacks and compromise the personal data of clients. We revealed an insecure data transfer, through a proxy, between the frontend and backend of some modules. This could have led to a successful implementation of a MitM attack. Weaknesses in the protection of the administrative panel were uncovered. They allowed privilege escalation of the users with Verifier and Financier roles. We identified logical errors, which could lead to bankruptcy if the perpetrator manipulated the internal currency exchange processes. Transaction logging errors were detected. We revealed logical errors in system integrity monitoring, namely, in the control calculations of transaction chains. Detailed reports were compiled for the top management, IT director and technical specialists. The reports contained descriptions of all the problems that were found and recommendations on how to solve them.

Duration of work: 3 months.

Conclusions. We provided indispensable help to the payment gateway by supplying a complete line-by-line analysis of the source code. It took much less time to analyze the code than to develop it.. With our help, the company was able to pass the PCI DSS audit successfully, obtain the official certificate, publish the gateway application and successfully begin their financial activities.

Learn more about security analysis of source code.
3
Source code audit for a cryptocurrency exchange
Short description of the system. A decentralized exchange that allows to users trade cryptocurrencies and tokens based on Ethereum smart contracts.

Technologies: independent frontend and backend, administrator interface in iOS application, DBMS: PostgreSQL, programming languages: Go, Python, JS, Objective-C, Java.

Total number of lines of source code: 960 thousand.

Objective: in white-box mode, find the vulnerabilities in the system and the hacking possibilities.

Solution: Static code analysis at the first stage revealed errors of repeating code usage. They were fraught with serious potential logical problems. Erroneous parameters, errors in variable dependency models, insufficient coverage of implemented test scenarios were also found. Further manual analysis of the source code helped to identify hidden problems with incorrect validation of input data, logical problems with the sources of cryptocurrency quotes and quotes for cryptocurrency pairs, as well as the possibility of injecting incorrect data to be put into a smart contract. Detailed reports for executive management and technical specialists were generated. The reports contained descriptions of all the problems the were found and recommendations for resolving them.

Duration of work: 2 months.

Conclusions. With our help, the cryptocurrency exchange eliminated significant security issues that threatened the success of the organization. We managed to conduct our audit before the official launch of the exchange, therefore it was not exposed to the risks after the web applications were published and real users started coming in.

Learn more about security analysis of source code.
4
Code review for a global manufacturer of household and industrial equipment
A global manufacturer of household and industrial equipment was going to implement new modules for their ERP, CRM, financial, and e-commerce systems.

The modules were written using Java, C++ and SAP UI5.

The customer had scanned the source code with security scanners of source code, performed a pentest, found security issues, fixed them, and asked us to do a manual security review.

The total work scope was about 2 million lines, and about 3 months later, we presented a comprehensive report showing the critical security problems, which were missed even by the security scanners and grey-box penetration test.

For example, we found critical race-condition vulnerabilities, which, although unlikely to occur, could cause huge damage.

Another example was a backdoor in the software code allowing the software developers to have unauthorized access to the production system. The developers explained that they needed this access for legitimate debugging purposes, however, that was a risk, and we insisted on closing this backdoor.

Conclusions. The customer made the right decision in entrusting us to independently verify the results of their security work and received important information on omissions that could cause serious financial damage. Corrections to the systems were made, their security was improved, and the risks of losses were minimized.

Learn more about security analysis of source code.