Select Page


Traditional penetration tests often focus on addressing threat actors with limited or no prior information about the target system. In some cases this is appropriate, but for maximum levels of assurance, a code review is often a sensible approach. LRQA Nettitude has a team of application security experts who are able to review source code in order to identify vulnerabilities and dangerous coding practises that would not be possible with traditional dynamic testing.
The team at LRQA Nettitude are among the highest qualified within the cybersecurity industry and have a wealth of experience and knowledge with application security services. To find out more about code review services, or other services such as red teamingpenetration testing and managed security services, please fill out a contact form and we’ll be in touch.

CREST - STAR Threat Intelligence
CREST Threat Intelligence

When Is A Source Code Review Appropriate?

Generally speaking, source code review is appropriate whenever higher levels of assurance are required. With access to an applications source code, LRQA Nettitude are able to identify vulnerabilities that would otherwise be very difficult to find. As well as distinct vulnerabilities, a source code review typically reveals poor coding practices that are likely to lead to vulnerabilities in the future.


If any of the following points are applicable, a source code review is appropriate to consider:

  • High impact and critical applications
  • Open source software
  • Acquired or outsourced applications
  • Higher levels of assurance required
  • One or more dynamic penetration tests have previously been conducted

How Do LRQA Nettitude Perform Code Review Testing?

LRQA Nettitude will ensure that one or more consultants with relevant programming experience are assigned to the engagement. Each security consultant has a wealth of experience with application security.
Thorough understanding of the target application is necessary. The lead security consultant will spend time with an appropriate developer in order to gain an in-depth understanding of the software, before commencing with the actual source code review testing process. This will include collaborative conversation which covers relevant items such as design, documentation, etc.
Unless there are specific concerns for LRQA Nettitude to focus on, it is important to achieve both breadth and depth of coverage. To that end, a hybrid approach of dynamic tooling and manual review is used. It is also useful to have access to a running version of the target system at the same time as the code review is performed, in order to maximise on context and verify findings in real-time. Common languages we perform code review against include: PHP, ASP, Visual Basic, Java, C / C++, Objective-C, C#, Perl.

What Is The Output Of A Code Review?

All code reviews result in a management report and a technical report being written. The management report is designed for a non-technical audience and describes the overall security posture of the target system in terms of risk. The technical report is designed to be consumed by developers who need to understand the vulnerabilities in more detail. All of LRQA Nettitude’s reports are subject to a rigorous quality assurance process before being released.

Remedial advice is granular, relevant and actionable. Where common themes are identified, LRQA Nettitude will also address those from a higher level. Following the report delivery, LRQA Nettitude will conduct a debrief (or ‘readout’) with the partner organisation in order to assure full comprehension of the findings. After the debrief, LRQA Nettitude’s security consultants are on hand to answer any follow up questions about the security of the target application.

Frequently Asked Questions about Data Privacy Security

What is an incident response policy?

An Incident response plan or policy is a process you create before you experience a cyberattack. This is so that your team has a procedure to follow when you do experience a data breach. LRQA Nettitude follows the CREST Cybersecurity Incident Response process which is broken down into 3 phases: preparation, response, and follow up. Having a breach plan gives you the confidence to quickly nullify any threat to your data privacy security.

Why is data privacy security important?

Although it has always been important, the implications and need for higher security are coming into play now that technology is indispensable to everyday life. Using apps, browsing websites, and shopping online are all examples of how your data will be stored and managed online. For organisations today, the threat of cyber theft is a pertinent one. Having comprehensive data privacy plans in place can reduce and mitigate the risks of such events.

Does LRQA Nettitude practice sustainability?

As a company with a global footprint, sustainability is an area of importance to us. We are a registered ‘Investor in People’ organisation. Taking a cue from ISO 14001, we have strong sustainability practices put in place. Our organisation also hires fairly and equally, across gender and race. By working with us, you can rest assured that we implement data privacy security measures with ethics at the core of our mission.

Get a free quote

speak to our experts