Secure Code Reviews: What is it, Benefits and Checklist
No one disputes the importance of testing and validation during the Software Development Lifecycle (SDLC). But it’s also equally (if not more) important to conduct an additional review that focuses solely on security. Often times, applications and software have vulnerabilities and flaws that are unknown to the developers, but are found by hackers, sometimes years after release. Secure code reviews enable development teams to identify and eliminate such potentially risky vulnerabilities before the application is released, minimizing these exploits. They are also mandatory for regulatory compliance in many industries ( e.g. healthcare and payments).
What is Secure Code Review?
Secure code review is the process of checking an application’s source code in order to identify and eliminate vulnerabilities that may have been inadvertently placed there during development. It may be done manually with a real person reviewing the code line by line, or with automated secure code review tools, which scan the code and report flaws.
Both methods have pros and cons. Manual reviews are time-consuming, error-prone and require domain expertise to be truly effective. Automated secure code review tools are faster and less error-prone, but also expensive. In addition, some tools only find certain types of flaws, while others produce “false positives,” which require time-consuming human intervention. This is why we recommend using a combination of the two.
Security code reviews should focus on these areas:
- Authentication and authorization
- Data validation
- Error handling
- Session management
- Security configuration
- Logging
- Encryption
HISTORY OF SECURE CODE REVIEWS
The concept of secure code review gained popularity in the late 1990s and early 2000s, when software security began to emerge as a major concern.
One of the earliest known instances of secure code review is the "lint" tool developed by Bell Labs in the 1970s. Lint was designed to identify coding errors and potential security vulnerabilities in C code. While not specifically designed for security purposes, lint can be considered an early form of code review that helped improve code quality and security.
After that, secure code review started gaining momentum as a security technique that would be used to find and address security vulnerabilities in software applications. In 2001, Microsoft published 'Writing Secure Code' in response to growing concerns about code vulnerabilities, and the attacks it was suffering at the time. And now, secure code review has become a critical practice in software development, and many organizations now consider it an essential part of their software development lifecycle.
According to Gary McGraw, CTO at Cigital and co-author of Building Secure Software, "I think that we’ve made a huge amount of progress in software security in the last decade. Now we are not done, and we have, by no means, solved the problems, but boy have we made great progress."
The secure code review process has evolved over time. In the past, it was often conducted manually by security experts who would manually inspect the code for potential vulnerabilities. This process was often slow and prone to human error, as it relied on the expertise and diligence of the reviewer.
Today, secure code reviews are often automated, utilizing a variety of tools and techniques to scan the code for potential vulnerabilities. Automated code review tools can quickly identify common vulnerabilities such as injection flaws, cross-site scripting (XSS), and insecure configurations, allowing developers to address them early in the development process.
THE SECURE CODE REVIEW PROCESS
A typical secure review process would look something like this:
Planning: The team identifies the code that needs to be reviewed and sets goals and objectives for the review. They also define the scope of the review and the review methodology to be used.
Review Preparation: The code is prepared for the review by the development team. The team makes sure that the code is well-documented, easy to understand, and follows established coding standards.
Review Execution: The security team reviews the code to identify security vulnerabilities and ensure that the code follows secure coding practices. They use automated tools and manual techniques to analyze the code and identify potential security issues.
Issue Identification: The security team documents the identified security issues and assigns severity levels to each issue based on its impact on the system's security.
Issue Remediation: The development team fixes the identified security issues and re-tests the code to ensure that the fixes are effective.
Verification: The security team verifies that the identified security issues have been properly fixed and that the code is now secure.
Documentation: The security team documents the entire code review process, including the identified security issues, their severity levels, and the remediation steps taken.
Benefits of Secure Code Reviews
The goal of secure code reviews is not to find and address every potential issue or “glitch,” but to harden the code, making it more secure. Reviewers attempt to find specific security-related defects that a malicious actor could exploit to compromise the CIA triad of Confidentiality, Integrity, and Availability. Another vital aim is to “fail fast”, which means to ensure that bugs are revealed as early as possible, closer to their cause. This makes it easier to fix them before they cause serious security breaches post-release, which may lead to lost revenues, fines, angry customers, or a damaged reputation.
According to Microsoft, code reviews also help ensure the code’s “long-term maintainability” and enable teams to “communicate over a shared view of an evolving artifact.”
Secure Code Review Tools
These secure code review tools are very valuable for security analysts: There are several types of tools that can be used to carry out secure code reviews, including:
Static Analysis Tools: These tools are used to analyze the source code of an application without actually executing the code.
Dynamic Analysis Tools: Also known as DAST tools, these analyze the behavior of an application while it is running.
Penetration Testing Tools: These tools are used to simulate attacks on an application to identify vulnerabilities that could be exploited by attackers.
Code Review Checklists: These are lists of potential security vulnerabilities that developers can use as a guide when reviewing their code. They can help ensure that all potential vulnerabilities are considered during the review process.
Manual Code Reviews: While tools can be helpful, they cannot replace the expertise of a human reviewer. Manual code reviews involve a trained security professional reviewing the code line-by-line to identify potential vulnerabilities.
Automated static code analysis
These tools support quick identification and remediation of flaws on a single platform without requiring source code, and offer nearly 100% code coverage.
According to TechTarget, "Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program."
It is a process that is used to detect errors in the code without actually running the program.
Faulty code can manifest as vulnerabilities in the software later, which can leave the software open to attacks. Static analysis helps avoid this and ensures that the code is error-free and secure, and compliant. In addition, static testing helps detect security flaws early, when they are easier to fix.
There are a few different ways in which static code analysis can be done. According to OWASP, four different methods are:
- Data Flow Analysis
- Control Flow Graph
- Taint Analysis
- Lexical Analysis
Automated tools are most commonly used to carry out static analysis for code. These automated tools can identify vulnerabilities with a high degree of accuracy and precision. However, they do come with the risk of high false positives.
Threat modeling
Structured threat modeling provides context to security efforts, and reveals threats that need closer investigation.
According to OWASP, 'Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.' And a threat model is 'a structured representation of all the information that affects the security of an application.'
Essentially, threat modeling is another approach to identifying potential security vulnerabilities in a software application. It involves analyzing the system or application to understand how it works and identifying potential points of attack and security risks that could be exploited by attackers.
Software composition analysis
These tools identify vulnerabilities in open source code to mitigate risks and improve the remediation process.
Software Composition Analysis (SCA) is a technique for analyzing and managing the use of third-party components and open-source software in software development. It helps you identify if any of these components have any security problems or licensing issues, which could cause problems for your software. It is an automated process that uses SCA tools to examine the software's dependencies and report any issues to developers. SCA tools use various techniques to identify and track software components, including scanning the source code for dependencies, analyzing build files, and examining runtime environments. Once the components are identified, the tool can provide information on known vulnerabilities, licensing issues, and other risks associated with the use of those components.
Secure Code Review Checklist and Best Practices
To successfully review the code, reviewers should understand the application and its use cases, and be aware of the security controls to look out for. They should also follow some best practices, such as:
Use multiple techniques
Each review method can reveal issues that improve the final results, so it’s best to use a combination of complementary methods and secure code review tools.
Review code every time a meaningful change is introduced
Regularly testing code during development is usually better than waiting until just before release.
Continuously track insecure code patterns
Monitoring and tracking repetitive issues is useful for future reviews, and for updating the review guide.
Focus on the big picture and the intent of the review
It’s best to focus manual reviews on important general areas, while automated secure code review tools should be used to find specific flaws. The
OWASP guide to secure code reviews is a great resource for more secure coding best practices.
Secure Code Review Checklist
A secure code review checklist can help maintain consistency between both reviews and different reviewers. As part of a comprehensive and well-structured audit strategy, it clarifies the security challenges that need addressing.
Here is a good template:
1. Download the code to be tested
2. Check the file/folder structure to confirm that nothing is missing
3. Open the code in an IDE or text editor
4. Search the code for:
- Configure files
- Application routes
- Sensitive keywords
5. Scan the code with static analysis tools
6. Log valid security issues into a reporting tool and cross off invalid issues. To determine validity, look for three pieces of information:
- Source
- Sink
- Data transformations while flowing from source to sink
7. For valid issues, perform search queries on the code to find more issues of the same type
Conclusion
In today’s expanding threat landscape, bad actors are everywhere, waiting to exploit application vulnerabilities. Secure code reviews can help mitigate this risk. Development teams should harden their code through a combination of secure coding and secure code reviews. Secure code review training can also be invaluable and worth the investment for everyone involved.
The Guide to
Secure Code Review by OWASP perfectly encapsulates the importance of secure code reviews:
“The code is your only advantage over hackers. Don’t rely only on external penetration testing…(Code review) is the fastest and most accurate way to find and diagnose many security problems.”
