Our risk assessments include four different types of security scans, all of which identify potential vulnerabilities in a software system that threaten its security and productivity.
Static Code Analysis
This type of scan finds problems with code quality before the program is run. It is performed by comparing a set of the system's code to a set (or multiple sets) of coding rules to identify weaknesses, such as programming errors, violations of coding standards, and security risks.
This method evaluates a program in real-time (while it is running) and deals with real input data, such as from Web requests. By debugging a program within all of the scenarios for which it was designed, dynamic analysis eliminates the need to artificially create situations likely to produce errors.
To save time and money, modern software is commonly assembled using third-party and open source components. But if your organization is not responsible for the code, how can you be certain of its quality and security? Component analysis identifies potential areas of risk from using third-party and open source software and hardware.
Manual Penetration Test
For this type of security scan, an expert engineer typically collects information on the system, conducts a vulnerability assessment, attempts to attack the system (through a method known as "actual exploit"), and prepares a report recommending any necessary corrective measures.