Through its code audit, ITrust analyses how the application was designed and how the code was developed. The main method is the manual code reading. By following the data flows in the program, the processing functions are analyzed to assess their adequacy to the confidence level of the input and output processed data.
Open source applications of static code analysis can be used to find the most common errors such as buffer overflows, format strings, time of check/time of use, and so on. In all cases, manual analysis is required to eliminate false positives.
In order to be as exhaustive as possible on the different types of vulnerabilities, ITrust uses different repositories including the following two main ones:
Wherever possible, the severity of the flaw is assessed, ranging from “not exploitable” to “taking total control of the server” or “theft of confidential information”.