A Newbie’s Introduction to Secure Code Review

For analyzing the security of a software application there are four basic methods:

1. Source Code Scanning Tools
2. Automated Scanning
3. Manual Pen Test
4. Manual Code Review

Survey relating detection methods to general vulnerability types

In this article, we are going to discuss the Secure Code Review and its advantages.

Code Review is a process of reading or viewing the source code of an application for quality assurance. Secure Code Review is an upgrade to the standard code review practice where the reviewers focus more on security considerations, such as company security standards. This also verifies that proper security controls are present and invoked at all the right places in the source code, and are working as intended.

The main aim of code review is to develop such applications which are “self-defending” in nature, in their given environment. Not only this it also ensures that the application developers are following secure development techniques while developing the applications. According to OWASP, a general rule of thumb is that a penetration test should not discover any additional application vulnerabilities relating to the developed code after the application has undergone a proper security code review.

We can talk about its definitions and benefits all day long, but the cruciality of Secure Code Review can only be understood when we learn about the vulnerabilities it helps to uncover within an application. It can inform us about the security issues in these areas:

1. Authentication
2. Authorization
3. Data Validation
4. Encryption
5. Error Handling
6. Logging
7. Session Management

These areas cover a major part of OWASP Top 10 and MITRE Top 25 list, and Secure Code Review helps to identify most of them in early phases of Software Development Life Cycle (SDLC). It must be noted that any single technique for discovering vulnerabilities will not be able to identify all of them. However, while developing any application developers must adopt a defence-in-depth approach to reduce the risk of unknown issues being included in the application.

Survey relating detection methods to OWASP Top 10 vulnerability types

Certain organizations have taken the responsibility for safeguarding the Confidentiality, Integrity and Availablity (CIA) of applications and data, and thus have developed some standard regulations. These compliance regulations are mandatory compliance for the companies deemed necessary. Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) are some example of compliance regulations.

PCI DSS requirement 6.3.2 mandated a code review of custom code, and requirement 6.5 mandates to train developers in secure coding technique and develop applications based on secure coding guidelines. Now that we have some idea about the importance of a Secure Code Review let’s look at what are the types of Code Review to help in deciding what kind of review we should include in the development process:

1. API/Design Code Reviews: Helps in uncovering security vulnerabilities in application architecture design. Ensures that proper security controls are implemented in third party APIs used.
2. Maintainability Code Reviews: These reviews help an organization to develop best coding practices and design applications that are highly maintainable.
3. Integration Code Reviews: Again these reviews help in developing best coding policies for an organization and ensure that any new code integrated into the existing one does not cause any unintended behaviour or introduces any vulnerability.
4. Testing Code Reviews: Makes sure that all methods have an appropriate exception, code fails safely, and all security controls are tested through appropriate unit test cases.

Apart from all these technical and security benefits, there are several advantages which can help any organization in long run. Code Reviews provide a historical record of the codebase and their developers, verifies that the changes have been tested, helps in providing training to junior developers, and gives pre-warning of integration clashes.

Now we may think that there are several good Source Code Scanning Tools available, so why should we pay someone for Manual Secure Code Review. To answer that we must understand that automated tools can only discover a limited number of security issues and can also produce a significant number of false-positives and false-negatives. Along with this any Business Logic Flaws and Deep Hidden Security Flaws can only be discovered in Manual Secure Code Review. Thus to develop a secure application or environment in most cost and time effective manner we must adopt a hybrid plan where a combination of all the four basic techniques are used for security testing.

Before wrapping up this article we must talk about the qualities and skills a reviewer must be familiar with:

1. Coding Language(s) used for developing the application.
2. Security Features and Issues of the coding language used.
3. Best practices from Security and Performance perspective.
4. Context of what we are trying to secure.
5. Level of Security required for the application.
6. Users of the application.
7. Entities with whom the application communicates in its life.
8. Availability of the application.
9. Areas affected in case the application does not perform the intended task.
10. Latest Security Standards and Vulnerabilities.

Hence we can easily conclude that Secure Code Review is important and must be included from the beginning of the Software Development Life Cycle (SDLC). However, we must never rely only on Code Review to uncover all kinds of security issues present in the application. Developers and Testers should use all four techniques and adopt the Secure Software Development Life Cycle (SSDLC) for reducing the chances of being vulnerable to any security attacks.