The security of a system is critically dependant on the security of the software running on that system. Providing assurances as to the security of that software has always proved difficult, and in the general case impossible. However, while techniques do not exist to provide a guarantee, it certainly is possible to limit the risks posed, effectively plugging the gap.
According to The Open Web Application Security Project (OWASP), "Code review is, with a doubt, the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort."
The efficacy of a manual code review process is evident, and easily demonstratable. A human reviewer can not only understand the context of code, but can also make a judgement on the use of certain coding practices, and thereby make a serious, yet accurate, risk estimate accounting for both "the likelihood of attack and the business impact of a breach."
Despite the many claims that code review is too expensive or time consuming, there is no question that it is the fastest and most accurate way to find and diagnose many security problems. There are also dozens of serious security problems that simply can't be found any other way. I can't emphasize the cost-effectiveness of security code review enough. Consider which of the approaches will identify the largest amount of the most significant security issues in your application, and security code review quickly becomes the obvious choice. This applies no matter what amount of money you can apply to the challenge.
Digit Security consultants have a long history of pro bono code review and reverse engineering of a wide range of software of varying complexity, ranging from local *NIX system binaries (CVE-2007-6276) to network services (CVE-2009-0849) to Operating System kernels (CVE-2007-4571, CVE-2008-1517, CVE-2009-1041). To learn more, see research.
In brief, key areas of our software security testing and assessment expertise include the following,