Security code review is a process which systematically applies a collection of security audit methodologies capable of ensuring that both environments and coding practices contribute to the development of an application resilient to operational and environmental threats.
In practice, code reviews can take on numerous forms including lightweight code discussions or more involved processes such as pair programming, over the shoulder programming, and tool assisted practices. More advanced methodologies involve threat modeling, automated static code analysis, manual inspection, and formalized communication methodologies.
Both pair and over the shoulder programming involve two programmers reviewing the code as it is being produced while frequently switching roles. Static tool analysis focuses on “white box” testing where a security professional analyzes an application’s source code using automated tools such as static code analysis tools and scripts to locate issues. All code review practices aim to identify security flaws in code, ensure requirements are met, and also share knowledge among developers growing an organization’s capacity to respond to security challenges it faces.
Although some perceive the code review process as overly complex, trusting passive solutions like firewalls to secure applications will fail to keep pace with a rapidly evolving threat landscape. Today, secure application development necessitates an active, structured, and comprehensive security audit strategy capable of revealing security issues other methods overlook. To accomplish this, code review relies on curated lists of critical vulnerabilities, checklists, automated tools, threat modelling, and human intervention to provide contextual clarity to findings and consequently, produce a clearer understanding of the security challenges application developers will have to overcome.
At the heart of the code review process is the content that will fuel the process. For example, the Open Web Application Security Project’s (OWASP) Top 10 is a list of what OWASP considers to be the “10 most critical web application security risks” and provides the reader with a description of the vulnerability, examples of possible attacks, threat mitigation strategies, and additional relevant resources. OWASP cheat sheets and checklists are useful aides to the complex review process. Both the OWASP Top 10 and their checklists are freely available on their website and will help ensure critical vulnerabilities and review components are not overlooked during code review.
Threat modelling will provide your organization with a vantage point capable of better identifying threats and formulating responses by providing context to security efforts. Using a structured threat modeling process to decipher the relationships between an application’s components, it becomes possible to identify design flaws, critical components or other modules that need more closer look. It is unlikely that the application’s design as well as it is underlying environment will remain constant throughout the project’s life. As such, the threat model should be treated as a living document and the threat modelling process as a marathon, not a sprint.
Automated static code analysis tools are another essential component of the review process, offering near 100% code coverage and the ability to expose vulnerabilities invisible to others methodologies. For example, the discovery of an XSS or SQL injection vulnerability with a static source analysis tool could lead to searching the codebase for similar vulnerable coding patterns, a time intensive endeavor and potentially impossible if attempted by hand.
Lastly, binding the code review process together is the security professional who provides context and clarity. While automated tools can easily outperform their human counterparts in tasks like searching and replacing vulnerable code patterns within an immense codebase, they fall short in a number of other areas. The mind of an experienced security analyst is indispensable to tasks such as the identification of application logic issues as the ability to reflexively examine the code and its development process has yet to be duplicated by our automated counterparts. Ultimately, the code review process will be advanced by combining the strengths of automated tools and those of security professionals, allowing security teams to reveal a comprehensive array of risks and effectively convey their business impacts, an outcome neither could accomplish about on their own.
Code Review Tool List
Code Review Recommended Reading,