Static Source Code Assessment methodology

The application will be tested for security vulnerabilities that could allow an internet based attacker to expose information or deface the web site.

Step 1. Automated Static Code Analysis

Automated scanning applications will be run on the web applications.
The application will be scanned using HP Fortify. HP Fortify is a highly regarded source code scanner which will iterate through each function in the application and identify common classes of security vulnerabilities. The types of vulnerabilities that are often picked up by HP Fortify include:
•    Cross Site Scripting
•    SQL Injection
•    XPATH Injection
•    Header Injection
•    File Inclusion Vulnerabilities
•    Directory Traversal vulnerabilities
All vulnerabilities that are identified with automated testing are verified to ensure their veracity. Vulnerabilities that are marked as false positives have not been included in this report.

Step 2. Manual Source Code Assessment

Each application then is manually audited by an experienced security auditor. The audit attempted to identify not just common classes of security vulnerabilities, but also vulnerabilities specific to the application itself.

Step 3. Risk Assessment and Classification of Findings

Each vulnerability that was identified is analysed to determine the impact, likelihood and overall risk that the vulnerability presents. The following risk factors were included in the analysis of the vulnerability:

• The business context of the vulnerability, including whether an attacker could gain access to sensitive information, or could impact the operation of the business;
• The technical context of the vulnerability, including whether an attacker could use this vulnerability to gain further access to the environment, to exploit other vulnerabilities or to access other systems;
• The technical ability required to exploit the vulnerability;
• Any mitigating factors that could prevent or limit the successful exploitation of the vulnerability.