Security Code Review
An in-depth security assessment of your application source code, combining automated analysis with expert manual review against OWASP verification standards.
What is a Security Code Review?
A Security Code Review is an in-depth security assessment of your application source code, combining automated analysis with expert manual review against two OWASP verification standards.
ASVS — Application Security Verification Standard
Up to 350 controls evaluated across 17 security domains, covering authentication, cryptography, session management, access control, data protection and more. Each control is scored as Passing, Partial or Failing to produce a per-domain maturity score.
SCVS — Software Component Verification Standard
67 controls across 6 supply chain domains: inventory, SBOM, build environment, package management, component analysis and pedigree. This evaluates the security of your dependency chain, build pipeline and component traceability.
The engagement uncovers injection flaws, broken authentication, insecure deserialization, cryptographic weaknesses and supply chain risks. You receive a prioritised remediation roadmap with concrete fixes and business impact context.
ASVS & SCVS controls evaluated
security domains assessed
domains covered in the report
How do we proceed?
The engagement follows a rigorous methodology structured in five phases.
Scoping & Context Mapping
We identify applications and modules in scope, gather architecture documentation and understand the technology stack. An interview with your development team captures design decisions, deployment context and data flows. We define the applicable ASVS maturity level (L1, L2 or L3).
Automated & Manual Code Analysis
Combined analysis following three OWASP frameworks: Top 10 targeted vulnerability hunting, ASVS systematic control verification across 17 domains, and SCVS supply chain verification across 6 domains. Manual review complements automated tooling with Software Composition Analysis (SCA).
Risk Cartography & Scoring
Each vulnerability is plotted on a risk matrix combining probability and impact to produce risk levels from Extreme to Very Low. We produce maturity scores per ASVS and SCVS domain, an intrusion risk assessment and contextualised threat analysis.
Prioritised Recommendations
Findings consolidated into a recommendations table, each mapped to a specific risk (RCE, data alteration, unauthorised access, supply chain attack) with concrete remediation actions and priority levels (High, Medium, Low).
Deliverables & Knowledge Transfer
Formal Walkthrough
Findings presented to your development and security teams covering the executive summary, critical findings and remediation roadmap. All client code and data destroyed at engagement close.
Comprehensive Report
A comprehensive report including maturity scores across all ASVS and SCVS domains with visual dashboards, risk cartography matrix, detailed technical findings with exploitation scenarios and remediation code.
Remediation Roadmap
Prioritised recommendation table with effort estimates, distinguishing between immediate actions, reinforcement measures and long-term improvements.
Prerequisites
A copy of the application source code (specific version or archive), application architecture and deployment documentation, an interview with the development team or technical lead, and a designated technical contact on the client side.
National critical application
L2 ASVS and SCVS assessment of a 20-year legacy system managing sensitive citizen data
A public institution operating a critical nation-state application, in production for over 20 years with regular evolutions, commissioned Tomeris to perform a Security Code Review. The application managed sensitive citizen data.
Tomeris conducted a L2 ASVS and SCVS assessment, evaluating the codebase against hundreds of controls across all security domains. The review surfaced deep vulnerabilities that years of black-box penetration testing could not detect: insecure Java deserialization enabling remote code execution, XXE injection in SOAP service parsers.
The audit also revealed critical supply chain weaknesses through the SCVS analysis, including outdated dependencies with known CVEs and an absence of SBOM practices.
The final report delivered prioritised recommendations across three tiers: immediate fixes, progressive reinforcement and long-term improvement. All achievable through configuration and code changes without re-architecting the application.
Assessment Coverage
Ready to secure your codebase?
Request a Security Code Review and get an in-depth assessment of your application source code with a prioritised remediation roadmap.