I am not familiar with all the steps involved in a full-fledged information secu

Question

I am not familiar with all the steps involved in a full-fledged information security review of an in-house developed application, so I am wondering whether or not the following scenario is commonplace.

A web application is created, and runs on top of Microsoft's .NET framework.

Under the terms of the security review, all third party code, defined here (however rightly or wrongly) as code not written in-house, needs to be reviewed.

Thus, even the .NET stack itself - not just the in-house code written on top of the .NET stack - needs to be audited. So besides the initial audit of the code, any Microsoft updates would have to be audited. For instance, suppose the app is using MVC 5.2, and Microsoft releases MVC 5.3, and the app upgrades to MVC 5.3; in this case, the app could not pass review until (among other tests) the MVC 5.3 codebase itself is run through auditing/review.

Is this part of normal information security reviews?

Explanation / Answer

No, you would not typically do this though you can walk through much of the .net supporting libraries in a debugger if you want to check exactly what a specific piece of code is doing. You may be able to scan some of the libraries using static code analysis that can operate on binaries but with large reputable vendors they will have already done this or similar testing - smaller vendors may not have.

Ultimately you need to look at the certifications, white papers, contract, reputation, and secure development practices of the vendor in order to determine the risk associated with the use of the code. For example you may choose a certain operating system over another based on the risk posed by each, but you wouldn't review all the source code of either!

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.