Wiki
Source Code Review Checklist

Checklist to perform a source code review

On binsec.wiki you can find a structured checklist for evaluating source code security as part of technical assessments. It follows established standards such as the OWASP Top 10 and PCI DSS and is used by binsec during code reviews to systematically identify and document security-relevant weaknesses. Clients can also use the checklist to prepare for a penetration test of a web application or API, helping them identify common vulnerabilities in advance.

The checklist covers the following test areas:

  • Test Object 1 – Communication
  • Test Object 2 – Authentication
  • Test Object 3 – Session Management
  • Test Object 4 – Authorization
  • Test Object 5 – Error Handling
  • Test Object 6 – Data Validation
  • Test Object 7 – Data Storage
  • Test Object 8 – Logging
  • Test Object 9 – Software Components
  • Test Object 10 – API Security
  • Test Object 11 – Cryptography

Go to Source Code Security Review Checklist

Provide knowledge
Our Wiki

This is our binsec wiki page.

binsec.wiki logo

Source Code Review Checklist

On binsec.wiki you can find a structured checklist for evaluating source code security. Based on established standards such as the OWASP Top 10 and PCI DSS, it helps developers and security teams identify common vulnerabilities early. The checklist is used by binsec during code reviews and can also be applied to prepare for security assessments of web applications and APIs.

How to scan networks

The "Hacking I: Scanning Networks" chapter of binsec.wiki's Pentest Training covers the critical first step in penetration testing: network reconnaissance. This phase involves mapping the attack surface by identifying active hosts, open ports, and the services running on those ports within a target network.

Online and Offline Password Attacks

The "Hacking II: Password Attacks" chapter of binsec.wiki's Pentest Training delves into a critical aspect of penetration testing: exploiting weak or compromised passwords to gain unauthorized access. The chapter distinguishes between online and offline password attacks.

Web Application Attacks

The Binsec Wiki’s "Hacking III: Web Application Attacks" explains that web apps with password-based roles expose a wide attack surface via forms, headers, and cookies. Client-side checks can be bypassed with tools like Burp Suite. Testing then focuses on common but critical flaws: SQL Injection (SQLi) and Cross-Site Scripting (XSS) - still among the most prevalent threats per OWASP.

Manual Penetration Testing by Certified, In-House Senior Penetration Testers

binsec penetration testing

Who tests

For more than ten years, binsec has stood for technically rigorous, strictly manual penetration testing. All engagements are conducted exclusively by employed senior penetration testers. Freelancers or subcontractors are not involved. Our clients work directly with the responsible senior tester who personally performs and technically leads the assessment. Communication is conducted in German and English; international projects are a regular part of our work. Our experts hold recognized offensive security certifications such as OSCP, OSCE, CRTO, and BACPP.

What we test

Our project experience covers complex enterprise networks, modern web and API architectures, and hybrid infrastructures. We work with organizations in manufacturing and industry, financial services and insurance, healthcare, IT and software providers, as well as public institutions. Technical, regulatory, and organizational requirements are systematically taken into account.

How we work

Our tests are based on a structured and reproducible methodology. They align with established standards such as OWASP and OSSTMM and are adapted to the specific project scope. Each assessment follows clearly defined phases: structured reconnaissance, manual analysis, targeted exploitation, and validated impact assessment. Automated tools support the process; identification, verification, and evaluation of vulnerabilities are performed manually.

Where we operate and document

Assessments are not conducted from cloud infrastructures. We operate our own infrastructure in a data center in Frankfurt. From there, all engagements are centrally executed and documented within our internal system PTDoc. PTDoc serves as the central documentation platform for all project data, evidence, and evaluations. All findings are recorded in a structured manner, technically described, risk-assessed, and supported by reproducible proof-of-concept information.

What you receive

We identify technical vulnerabilities and assess their business impact. Findings are evaluated based on risk or CVSS. The result is a clearly structured report including an executive management summary and detailed technical documentation. Re-testing of identified vulnerabilities is an integral part of our service.

Contact us

Pentest Knowledge and Tools

binsec.tools logo

Free pentest tools for your security analysis.

Pentest Tools
binsec.wiki logo

Take a look at our wiki page about pentesting.

Pentest WIKI
binsec FAQ logo

Straight answers to common pentesting questions.

Pentest FAQ
binsec news logo

News about pentesting and the binsec universe.

Pentest News

Company

binsec GmbH
Clemensstraße 6-8
60487 Frankfurt am Main
Germany

Contact

info@binsec.com

+49 692475607-0

Legal notice

Director: Patrick Sauer
Authorised Officer: Florian Zavatzki, Dominik Sauer
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808

© 2026 All rights reserved by binsec GmbH.

Privacy Notice

© 2026 All rights reserved by binsec GmbH.

Privacy Notice