A secure code review is a software quality assurance process that examines software source code to detect security-related weaknesses, fix logic errors, correct flaws, and scrutinize specification implementation, all with the aim of building application source code of the utmost quality and security.
Secure code reviews are essential throughout the Software Development Life Cycle (SLDC) process as they empower enterprises to reduce the risk of inadvertently allowing code vulnerabilities to make their way through to production. This outcome pays immense dividends downstream, with one reputable peer-reviewed publication estimating “that each hour of inspection prevented about 100 hours of related work”.
Moreover, performing a secure code review ensures applications’ compliance to regulations such as PCI-DSS, HIPAA, and FDA-11, helping companies avoid reputational harm and fines and reduce the expense of fixing bugs that mainly occur at the early stages of the SDLC.
Regardless of the numerous interconnected requirements impacting an application on its journey through to the production environment - namely, conditions around maintainability, performance, functionality, portability, reliability, and compatibility - a well-deployed secure code review program must be deemed a top priority.
No matter the level of sophistication and execution, a review is exactly what it is - a review. It is a reactive response whose extensiveness and duration will be governed by the number of errors it has to identify and craft corrections for. If, upstream, fewer mistakes are made, the revision will proceed quickly. Conversely, if more unwitting errors make their way into the code at the implementation stage, more time will be spent on the review process… to borrow a saying often used to illustrate the importance of good input: “Bad data in, bad data out”.
The issue is that even if the review identifies and rectifies all of the flaws, the time taken to perform adequate remediation is not time well spent… and if code review skills aren’t available in-house, nor is stated remediation process cheap either, with external consultants and effective commercial tools creating holes in budgets that only the most well-heeled CISO offices can stomach!
In other words, an organization’s objective should generally be this: decrease the number of errors emerging in the first place and increase the internal capacities and processes to spot those errors that do arise. More on that toward the end, but first, let’s take a look at the two ways in which secure code reviews can be conducted.
A secure code review involves a manual or automated review of an application’s source code to identify security-related weaknesses in the code that a malicious user could leverage to compromise the privacy, integrity, and availability of an application.
Typically, in a manual secure code review process, one or more security professionals will examine source code that they themselves did not write, and then provide negative and/or positive feedback to the developer(s) that did. These reviewers, who are ideally disengaged from the project, will comb through a checklist of common coding mistakes and make recommendations per the company’s internal coding standards and overarching regulatory requirements (e.g., PCI-DSS as referenced above).
Depending on the software application, secure code reviewers are equipped with skills to measure the robustness of the source code in the following areas: authentication, authorization, session management, data validation, error handling, logging, and encryption. Additionally, and in contrast to their automated counterparts, human reviewers are far better at identifying unique bugs. As a result, manual review processes can be viewed as a more strategic type of process, perhaps deployed to inspect a particularly critical application or specific asset.
Whatever the findings, the reviewer will then share what they have identified with the code’s author(s), who will, in turn, respond to the comments and alter the code accordingly. Finally, once both parties agree on the changes, the code is then checked into the codebase to continue its way to the production environment.
Manual secure code review processes like the one described above necessitate highly experienced (read: expensive) security analysts to inspect the code line by line for patterns and security issues. Just as there is an advantage to utilizing the human mind for out-of-the-box problem identification, there is a distinct disadvantage as well - the amount of time it takes to complete the task.
Automated security code review tools, on the other hand, dramatically speed up the secure code review process as only a machine could. However, finding and deploying an effective automated code review tool can be an incredibly expensive affair. Furthermore, most automated programs cannot detect all security flaws and, moreover, depending on the type of tool, will produce significantly more false positives than a well-trained human would. Indeed, if the noise (overabundance of false positives) is too great, it stands to negate any time gains made by the tool in the first place as a human analyst will still have to cross out every erroneous alert.
All things considered, it is generally best practice for organizations to ‘use the best of both worlds’ and leverage manual and automated security code reviews cohesively.
If secure code reviews are a more regular part of the developmental process (performed in short sprints, for example), threats that would previously go unidentified by other testing tools could be recognized faster and dealt with appropriately.
Of course, paying for high-priced external consultants to run the costly tools isn’t an ideal scenario either, which brings us to the crux of the issue and, as it happens, the solution as well!
An ideal scenario was hinted at earlier in this article wherein an organization had developed adequate source code review skills in-house and also were producing fewer errors to begin with. This second point is key as it focuses on the source and not on the application of a salve for the symptom. Indeed, SecureFlag’s tagline is ‘Security from the first keystroke’ for good reason. Superior training delivered early on reduces the flow of bad code into the SDLC, alleviating load, pressure, and cost on those charged with the equally necessary responsibility of reviewing such code before it is released to the world.
As well as strengthening the capacity upstream by teaching developers secure coding skills, attention must also rest on enhancing security code review skills. Done well, and the two complementary processes significantly reduce delivery defects and security bugs, improve efficiency and consistency across codebases, and improve ROI by helping make processes faster and more secure, using fewer resources and time. Indeed, in modern-day software development, there is no good reason that a developer working in the SLDC should not possess the necessary security skills and knowledge to code in a secure manner and perform a secure code review.
In the main, organizations are staffed with exceptional talent - people capable of designing and bringing to life applications that serve a myriad of functions. However, developers are often not taught (or at least are not taught well) how to code securely in line with the most up-to-date secure coding best practices. On top of this, even fewer developers are equipped with the depth and breadth of secure code understanding to correctly perform secure code review processes, and as was previously illustrated, relying on tools and external help can be either costly or inefficient - or both.
SecureFlag is the most advanced secure coding training platform for Developers, DevOps, and QA engineers. Indeed, since 2020, SecureFlag provides training to all OWASP members globally, a significant validation of the platform’s efficacy in delivering training that is engageable and that sticks. Between the community instance via OWASP and the enterprise deployments in hundreds of organizations worldwide, SecureFlag is helping thousands of developers identify and repair security issues and strengthen their secure coding practices through hands-on labs. Importantly, the platform is built to cater both to the necessities of scale and to the idiosyncratic learning requirements and skills of the individual developer.
And the best part? Today, the team here at SecureFlag is thrilled to release our brand new Code Review Labs, built to further the scope and accessibility of secure coding in software development!
Contact SecureFlag for a demo of the new Code Review labs.