We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page


Traditional penetration tests often focus on addressing threat actors with limited or no prior information about the target system. In some cases this is appropriate, but for maximum levels of assurance, a code review is often a sensible approach. LRQA Nettitude has a team of application security experts who are able to review source code in order to identify vulnerabilities and dangerous coding practises that would not be possible with traditional dynamic testing.

The team at LRQA Nettitude are among the highest qualified within the cybersecurity industry and have a wealth of experience and knowledge with application security services. To find out more about code review services, or other services such as red teamingpenetration testing and managed security services, please fill out a contact form and we’ll be in touch.

CREST - STAR Threat Intelligence
CREST Threat Intelligence

When Is A Source Code Review Appropriate?

Generally speaking, source code review is appropriate whenever higher levels of assurance are required. With access to an applications source code, LRQA Nettitude are able to identify vulnerabilities that would otherwise be very difficult to find. As well as distinct vulnerabilities, a source code review typically reveals poor coding practices that are likely to lead to vulnerabilities in the future.


If any of the following points are applicable, a source code review is appropriate to consider:

  • High impact and critical applications
  • Open source software
  • Acquired or outsourced applications
  • Higher levels of assurance required
  • One or more dynamic penetration tests have previously been conducted

How Do LRQA Nettitude Perform Code Review Testing?

LRQA Nettitude will ensure that one or more consultants with relevant programming experience are assigned to the engagement. Each security consultant has a wealth of experience with application security.
Thorough understanding of the target application is necessary. The lead security consultant will spend time with an appropriate developer in order to gain an in-depth understanding of the software, before commencing with the actual source code review testing process. This will include collaborative conversation which covers relevant items such as design, documentation, etc.
Unless there are specific concerns for LRQA Nettitude to focus on, it is important to achieve both breadth and depth of coverage. To that end, a hybrid approach of dynamic tooling and manual review is used. It is also useful to have access to a running version of the target system at the same time as the code review is performed, in order to maximise on context and verify findings in real-time. Common languages we perform code review against include: PHP, ASP, Visual Basic, Java, C / C++, Objective-C, C#, Perl.

What Is The Output Of A Code Review?

All code reviews result in a management report and a technical report being written. The management report is designed for a non-technical audience and describes the overall security posture of the target system in terms of risk. The technical report is designed to be consumed by developers who need to understand the vulnerabilities in more detail. All of LRQA Nettitude’s reports are subject to a rigorous quality assurance process before being released.

Remedial advice is granular, relevant and actionable. Where common themes are identified, LRQA Nettitude will also address those from a higher level. Following the report delivery, LRQA Nettitude will conduct a debrief (or ‘readout’) with the partner organisation in order to assure full comprehension of the findings. After the debrief, LRQA Nettitude’s security consultants are on hand to answer any follow up questions about the security of the target application.

Get a free quote

speak to our experts