Secure Code Reviews: What is it, Benefits and Checklist
No one disputes the importance of testing and validation during the Software Development Lifecycle (SDLC). But it’s also equally (if not more) important to conduct an additional review that focuses solely on
security. Often times, applications and software have vulnerabilities and flaws that are unknown to the developers, but are found by hackers, sometimes years after release. Secure code reviews enable development teams to identify and eliminate such potentially risky vulnerabilities before the application is released, minimizing these exploits. They are also mandatory for regulatory compliance in many industries ( e.g. healthcare and payments).
What is Secure Code Review?
Secure code review is the process of checking an application’s source code in order to identify and eliminate vulnerabilities that may have been inadvertently placed there during development. It may be done manually with a real person reviewing the code line by line, or with automated secure code review tools, which scan the code and report flaws.
Both methods have pros and cons. Manual reviews are time-consuming, error-prone and require domain expertise to be truly effective. Automated secure code review tools are faster and less error-prone, but also expensive. In addition, some tools only find certain types of flaws, while others produce “false positives,” which require time-consuming human intervention. This is why we recommend using a combination of the two.
Security code reviews should focus on these areas:
- Authentication and authorization
- Data validation
- Error handling
- Session management
- Security configuration
- Logging
- Encryption
Benefits of Secure Code Reviews
The goal of secure code reviews is not to find and address every potential issue or “glitch,” but to harden the code, making it more secure. Reviewers attempt to find specific security-related defects that a malicious actor could exploit to compromise the CIA triad of Confidentiality, Integrity, and Availability.
Another vital aim is to “fail fast”, which means to ensure that bugs are revealed as early as possible, closer to their cause. This makes it easier to fix them before they cause serious security breaches post-release, which may lead to lost revenues, fines, angry customers, or a damaged reputation.
According to Microsoft, code reviews also help ensure the code’s “long-term maintainability” and enable teams to “communicate over a shared view of an evolving artifact.”
Secure Code Review Tools
These secure code review tools are very valuable for security analysts:
Automated static code analysis
These tools support quick identification and remediation of flaws on a single platform without requiring source code, and offer nearly 100% code coverage.
Threat modeling
Structured threat modeling provides context to security efforts, and reveals threats that need closer investigation.
Software composition analysis
These tools identify vulnerabilities in open source code to mitigate risks and improve the remediation process.
Secure Code Review Checklist and Best Practices
To successfully review the code, reviewers should understand the application and its use cases, and be aware of the security controls to look out for. They should also follow some best practices, such as:
Use multiple techniques
Each review method can reveal issues that improve the final results, so it’s best to use a combination of complementary methods and secure code review tools.
Review code every time a meaningful change is introduced
Regularly testing code during development is usually better than waiting until just before release.
Continuously track insecure code patterns
Monitoring and tracking repetitive issues is useful for future reviews, and for updating the review guide.
Focus on the big picture and the intent of the review
It’s best to focus manual reviews on important general areas, while automated secure code review tools should be used to find specific flaws.
The OWASP guide to secure code reviews is a great resource for more secure coding best practices.
Secure Code Review Checklist
A secure code review checklist can help maintain consistency between both reviews and different reviewers. As part of a comprehensive and well-structured audit strategy, it clarifies the security challenges that need addressing.
Here is a good template:
1. Download the code to be tested
2. Check the file/folder structure to confirm that nothing is missing
3. Open the code in an IDE or text editor
4. Search the code for:
- Configure files
- Application routes
- Sensitive keywords
5. Scan the code with static analysis tools
6. Log valid security issues into a reporting tool and cross off invalid issues. To determine validity, look for three pieces of information:
- Source
- Sink
- Data transformations while flowing from source to sink
7. For valid issues, perform search queries on the code to find more issues of the same type
Conclusion
In today’s expanding threat landscape, bad actors are everywhere, waiting to exploit application vulnerabilities. Secure code reviews can help mitigate this risk.
Development teams should harden their code through a combination of secure coding and secure code reviews. Secure code review training can also be invaluable and worth the investment for everyone involved.
The Guide to Secure Code Review by OWASP perfectly encapsulates the importance of secure code reviews:
“The code is your only advantage over hackers. Don’t rely only on external penetration testing…(Code review) is the fastest and most accurate way to find and diagnose many security problems.”
