25 August 2023
Code review is a proven technique for identifying security flaws and improving software quality. This article outlines an effective security code review process along with best practices to maximize impact.
If you are considering Threat Modelling Training simply get in touch with our dedicated team and we will be happy to assist.
Manual code review complements automated scanning tools by discovering threats missed by automation. Humans excel at semantic understanding to spot subtle issues like authentication bypass flaws, insecure designs, race conditions and business logic errors.
Other key benefits of security code review include:
Regular code reviews are a crucial part of proactive AppSec programs.
A structured methodology ensures consistent, high quality code reviews. Key steps include:
1. Prepare review materials - Source code, libraries, specs, tools, checklists.
2. Assign reviewers and scope - Pick experienced reviewers, set review targets.
3. Perform initial review - Manual inspection of code logic and design.
4. Verify issues - Reproduce vulnerabilities, confirm legitimacy.
5. Prioritize issues - Rank severity based on impact and likelihood.
6. Track remediation - Log bugs, verify fixes in later sprints.
7. Report results - Communicate findings to stakeholders.
Mature programs use risk ratings and metrics to gauge code review efficacy over time.
Success begins with the reviewers. Look for these qualities:
Include architects familiar with overall design and feature owners with business logic insights.
Rotate participants across reviews to spread knowledge.
Carefully prioritizing review targets maximizes impact:
Sampling broadens coverage once critical code is secured. Configure tools to scan everything.
Divide large codebases into manageable subsets for incremental reviews.
Thorough manual inspection by appropriately skilled humans finds vulnerabilities tools miss. Some tips:
Take notes through issues for reporting and tracking.
Confirm reported issues through steps to reproduce. Weed out false positives.
Rank valid flaws by severity and risk levels:
Align ratings with organizational risk tolerance. Provide technical justification for ratings.
Quantitative scores incorporating damage potential, mitigations and threat agent factors further assist ranking.
The review doesn't end when results get reported. Track issues through resolution:
Integrate with existing workflows like integrations with Jira and formal change approval processes.
Celebrate developers who consistently deliver solid, secure code. Call out chronic offenders.
Code review efficacy metrics quantify progress:
Present trend lines to demonstrate improving maturity over time.
Compare costs against projected losses from exploited bugs to justify investment.
To deeply integrate security code review:
Sustained AppSec commitment pays compounding dividends over time as developing secure software becomes integral to engineering culture.
SAST (Static Application Security Testing) automatically scans code for vulnerabilities. Well-chosen tools boost review efficiency:
Avoid over-reliance on automation. The best tools empower people who understand app semantics and risks.
For large, complex codebases, conquer security inch-by-inch:
Celebrate milestones after addressing significant risk areas. Momentum builds as progress becomes visible.
Modern software teams fix flaws through fast feedback cycles. Enable this for security:
Humans empowered with knowledge, tools and feedback loops write better software.
Design decisions profoundly influence downstream security. Rigorously evaluate proposed designs for risks:
Probe assumptions and weigh alternatives:
Nip fundamentally flawed designs in the bud. Question everything.
Manual code review scales poorly. Automation brings consistency:
Automate where possible but still enable human judgement.
Automation without insight breeds cargo cult security.
1,000 - 2,000 lines of code per hour is a sustainable pace. Break code into review sessions accordingly.
Developers find local issues. Experts identify subtle risks needing broader domain knowledge. Use both.
Testing confirms code works as intended. Reviews surface risks testing could miss. Do both thoroughly.
If you enjoyed this article check out Threat Modelling: Steps, Techniques and Tips
CONTACT
+44 (0)20 8446 7555
Copyright © 2024 JBI Training. All Rights Reserved.
JB International Training Ltd - Company Registration Number: 08458005
Registered Address: Wohl Enterprise Hub, 2B Redbourne Avenue, London, N3 2BS
Modern Slavery Statement & Corporate Policies | Terms & Conditions | Contact Us