Static Code Analysis :: Red Team Perspective

Code review definitely has a home within a red team security assessment. Most commonly, the code is delivered as a “white card” preceding test activities. This methodology simulates that read access to the code base has been compromised in some manner; such as a lost laptop or thumb drive. Black box testing paradigms will also frequently employ static code analysis. In contrast, these scenarios gaining access to the code repository via exploitation of a system information leak or discovering code using open-source intelligence collection.

A skilled red team can easily wield the gift of source code to improve the efficiency and utility the overall test event. The scope of their analysis will however be limited. Red teams will often conduct the assessment void of automated tools with formally published rule-sets. Furthermore, red team analysts are usually only looking for specific exploits that fuel their simulated attack narrative. The team’s final report must therefore clearly articulate that this rudimentary analysis does not equate to the more regimented analysis attributed to a secure software development cycle.