When security tools and processes are integrated throughout development, and an application or update is just soon to be released, donât forget that youâve got one more step in the security process to go. A Secure Code Review.
What Exactly Is A Secure Code Review?
If youâve integrated security testing throughout your development process, you may think youâre secured for release. But until youâve ensured that your applications have correctly implemented the security mechanisms by automated and/or manual review, you canât be sure that last-minute issues or vulnerabilities undetectable by your security tools have popped up.
This is where secure code reviews come into the picture. The same way we all review an important document one more time before sending it out, applications require a âlast lookâ to ensure that the application and itsâ components, are free of security flaws. A secure code review serves to detect all the inconsistencies that werenât found in other types of security testing â and to ensure the applicationâs logic and business code is sound.
Secure code review is the process organizationâs go through to identify and fix potentially risky security vulnerabilities in the late stages of the development process. As the last threshold before an app is released, secure code reviews are an integral part of the security process. They serve as a sort of final review to check that your code is safe and sound, and that all dependencies and controls of the application are secured and functional.
The role of Security Code Review
Verifying the security of your code via a secure code review also serves to cut down on time and resources it would take if vulnerabilities were detected after release. The security bugs being looked for during a secure code review have been the cause of countless breaches which have resulted in billions of dollars in lost revenue, fines, and abandoned customers.
In many industries, including the healthcare and payment verticals, secure code reviews are a mandatory part of the compliance requirement, and they offer an added layer of security before your application is released. Whether mandated or not, secure code reviews offer an added value for the security of your application and the organization at large.
Security code reviews focus on finding flaws in each of the following areas:
- Security configuration
- Session management
- Data validation
- Error handling
What code reviewers need to have
Code reviewers should be well-versed in the language of the application theyâre testing, as well as knowledgeable on the secure coding practices and security controls that they need to be looking out for.
Another important need for the reviewer is for he or she to understand the full context of the application, including its intended audience and use cases, in order to be able to successfully review the code. Without that context, code reviewers wonât be able to secure parts of the code that may look secure at first glance, but given the chance can easily be attacked. Knowing the context by which an app is going to be used and how it will function is the only way to certify that the code adequately protects whatever youâve relegating to it.
Manual vs. Automated Secure Code Reviews
When it comes time to choosing the tools and processes youâll use to conduct a secure code review, you may stumble upon the question of which tools to use and whether you should use automated tools or human inspection. Which is better? As with other areas of your SDLC, the best approach is a mixed approach, combining both manual review as well as inspection using strong static code analysis tools. Here are the pros and cons of the two methods of review:
AUTOMATED CODE REVIEW
|Automated Code Review Pros:||Automated Code Review Cons:|
â¢ Â Detects low-hanging fruits and hundreds of other vulnerabilities, including SQL injection and Cross-Site Scripting
â¢ Â Ability to test quickly and in large chunks of code is crucial in agile and continuous integration environments
â¢ Â Ability to be scheduled and run on-demand
â¢ Â Ability to add non-security checks including business logic
â¢ Â Ability to scale automated testing as per organizational need
â¢ Depending on tool choice, an automated source code review tool can be customized per organizational needs, especially certain compliance standards and for high-value applications
â¢ Can help raise developer security awareness and offer a way to better educate developers who use the tool
â¢ Â Tools that donât allow fine-tuning and customization can produce false positives and negatives
â¢ Â Coverage and breadth are really dependent on the type of tool you choose and the languages, frameworks and standards it covers
â¢ Â Comes with a learning curve for those not familiar with static code analysis tools
â¢ Â Not viable for all budgets, though there are strong open source tools for common languages
MANUAL CODE REVIEW
|Manual Code Review Pros:||Manual Code Review Cons:|
|â¢ Ability to deep dive into the code paths to check for logical errors and flaws in the design and architecture most automated tools couldnât find
â¢ Security issues like authorization, authentication and data validation can be better detected manually compared to some automated tools
â¢Thereâs always room for an extra set of (expertly trained) eyes on high-value applications
â¢ Reviewing other peopleâs code can be a great way to share secure coding and AppSec knowledge
|â¢ Â Requires an expert of both the language and frameworks used in the app as well as needing a deep understanding of security
â¢ Â Different reviewers will produce different reports, resulting in inconsistent findings between reviewers â though peer reviews can be a fix
â¢ Testing and writing up reports is timely, and often requires developers to participate in sometimes lengthy interview sessions to offer context to the reviewer, costing developer time and resources
â¢ Â Manual review of applications with more than 10-15k LoC is limited to targeting high risk functions only
Applications have thousands to hundreds of thousands of lines of code, and the cycles weâre running to release new apps and versions are getting shorter all the time. Still, we canât review code any faster than we did ten to fifteen years ago. On the other hand, no tool or human is perfect.
âThe human brain is suited more for filtering, interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.â In many ways, manual and automated source code reviews complement each other well, each covering the areas where the other is typically weak.
As your application security program matures, youâll find that both manual and automated code reviews should have a place in it. Thus, if your budget allows for both the cost of a tool and the cost to house either an in-house reviewer or outsource it, itâs best to have a mix of both automated and manual reviews in your normal security activities.
5 Tips to a Better Secure Code Review
- Produce code review checklists to ensure consistency between reviews and by different developers
When conducting manual code reviews, make sure all reviewers are working by the same comprehensive checklist. Just as the developers writing the code are human and can neglect secure coding practices, reviewers can forget to certain checks, if not working with a well-designed checklist.
In addition, enforce time constraints as well as mandatory breaks for manual code reviewers. Remember, just like as we all fade after writing emails or even reading for hours on end, reviewers will fatigue. Itâs important to ensure the reviewers are at their sharpest, especially when looking at high value applications. At the same time, dedicating a specific amount of time to source code reviews will also keep reviewers motivated to finish in an appropriate amount of time.
- Ensure a positive security culture by not singling out developers
It can be easy, especially with reporting by some tools being able to compare results over time, to point the finger at developers who routinely make the same mistakes. Itâs important when building a security culture to refrain from playing the blame game with developers; this only serves to deepen the gap between security and development. Use your findings to help guide your security education and awareness program, using those common mistakes as a jumping off point and relevant examples developers should be looking out for.
Again, developers arenât going to improve in security if they feel someoneâs watching over their shoulder, ready to jump at every mistake made. Facilitate their security awareness in more positive ways and your relationship with the development team, but more importantly the organization in general, will reap the benefits.
- Review code each time a meaningful change in the code has been introduced
If you have a secure SDLC in place, you understand the value of testing code on a regular basis. Secure code reviews donât have to wait until just before release. For major applications, we suggest performing manual code reviews when new changes are introduced, saving time and human brainpower by having the app reviewed in chunks.
- A mix of human review and tool use is best to detect all flaws
Tools arenât (yet) armed with the mind of a human, and therefore canât detect issues in the logic of code and are hard-pressed to correctly estimate the risk to the organization if such a flaw is left unfixed in a piece of code. Thus, as we discussed above, a mix of static analysis testing and manual review is the best combination to avoid missing blind spots in the code. Use your teamsâ expertise to review more complicated code and valuable areas of the application and rely on automated tools to cover the rest.
- Continuously monitor and track patterns of insecure code
By tracking repetitive issues you see between reports and applications, you can help inform future reviews by modifying your secure code review checklist, as well as your AppSec awareness training. Monitoring your code offers great insight into the patterns that could be the cause of certain flaws, and will help you when youâre updating your review guide.