Find security vulnerabilities that tools may miss.
Raxis uses a manual, line by line, procedure to review the actual code for security risks. Our process is designed to meet compliance standards such as PCI DSS Requirement 6.3.2, which requires that any custom internal or public facing code be reviewed by someone other than the original author. While this can take longer than using an automated process, the manual procedure is recommended by PCI and allows us to find logic errors that tools often will overlook. In addition, we will make suggestions to move to secure coding best practices where applicable, even if the code does not present an immediate vulnerability. In some cases, we may use a tool to help us locate coding issues in bulk, however the work is done manually with a highly qualified programmer and security expert.
Our Raxis Penetration Testing team has seen a significant amount of coding and logic errors throughout the course of our work. These coding errors are often very simple, however the results from the errors are very significant. For example, leaving out input checking on one hidden field can result in a full compromise of the system, including the ability to create user accounts. While more rare, we've also seen cases where customers did not incorporate proper user authorization design, resulting in privilege escalation across the application. Automated solutions are not as effective as our manual process and could leave security gaps in production code to be exploited by others.