Not a complete code audit. When I spoke with then they told me they did not review the code line by line and instead checked the code against a database and then tried finding exploits manually.
Partially right. I'll elaborate.
You can audit code all day long, but there are some kinds of vulnerabilities that can be missed during a code audit. I don't believe in merely a code audit.
We have a multi-faceted approach. The audit starts off with a check list where we go through an entire product an make a checklist of every function and permutation of functions. Every function is individually checked for a variety of vulnerabilities manually: sqli, rce, lfi, rfi, etc.
Here is some examples (only examples, this is the start of the checklist template) of what is done during the manual audit.
We start off looking at the installation of it. This would be for example, something we would utilize on a hosting panel like DIrectadmin or Cpanel:
[ ] Insecure Processes
[ ] Insecure Permissions
[ ] World Writable Files
[ ] World Writable Directories
[ ] Improper SUDO Configuration
[ ] Improper Cron Configuration
[ ] Improper MySQL Configuration
[ ] SUID Binaries
Ok say you have a function in that control panel that added accounts we would use a checklist something like this:
[ ] ACL Bypass
[ ] Arbitrary Command Executions
[ ] Input Validation Failures
[ ] SQL Injections
[ ] Directory Traversals
[ ] Local / Remote File Inclusions
[ ] XSS
[ ] CSRF
So every function is manually ran through those various techniques.
It is true we have a script we run against code to look for various exploits, its built in house and modified often with new techniques. Its not like we are downloading flawfinder (
http://www.dwheeler.com/flawfinder/) or something similar running it against code and saying its good to go. Its built by us. There is also also always manual code auditing that occurs as well, especially to look for hidden functions. When we manually audit a software we are looking at a variety of things. For example on something such as SolusVM, while we are auditing it we are looking at a full mysql query log, a modified version of strace that we use, things like snoopy, etc to get a big picture of how things work together.
One of the big things we find is often admin functions are available to users. One example is a billing software where you could send POST requests to admin functions. The software reported access denied, but in the database it was actually making the intended changes. The fix for this was the equivalent of a 'true' where there should have been a 'false'. The code was audited by another firm, and this exploit was found by us via manual exploitation.
There has been exploits we have found in software where we utilized 3-4 different functions inside the client side panel together to achieve root on the server hosting the software. Code wise they looked 'ok', but when used together was quite sinister.
###
Regarding the SolusVM update. It was not a paid audit. It contains a quite serious vulnerability that was found completely through manual exploitation. Everyone should upgrade.
