Secure Code Review: A Beginner’s Guide
Hey everyone! I hope you all are safe and doing well!
In this blog we are going to discuss on the most important topic in cyber security is “Secure Code Review”. This blog will surely help to understand approach over code review and will also help you in technical interview as well. I will try to cover the sufficient.
Myth: Secure code analysis has nothing to do with having developer’s background, just a basic knowledge of code will workout.
So, What is Secure Code Review?
Secure code review aims to identify security flaws in the application related to its features and design, along with the exact root causes. Also it is probably the single-most effective technique for identifying security bugs early in the system development lifecycle. With the increasing complexity of applications and the advent of new technologies, the traditional way of testing may fail to detect all the security flaws present in the applications.
Review Process:
Manual vs. Automated
In a manual review, review the code line by line, looking for defects and security related flaws. An automated review uses a tool to scan the code and report potential flaws.
Automated review will done with the help of some paid tools like Checkmarx, Fortify, etc. Also there is some open source tools as well like Find Security Bugs, Visual Code Grepper, etc. The approach of testing with this tool is to insert the code file and generate the report. But automated tools also tend to produce false positives (reported findings that are not actually issues). Adjudicating false positives requires human intervention and takes time away from the development team.
Whereas, in Manual review it is done by significant domain expertise. As a code reviewer you are expected to point out possible flaws/vulnerabilities that will create loopholes in the application further.
Approach of Manual Code Review
- Before initializing the security review we should know about the language type of application whether is it on Java, Php, Aspx, etc.
- Then talk to the developers and understand purpose of the application like payment, billing, form , etc. Also understand their approaches to mechanisms like authentication and data validation. Information gathered during this discussion can help jump-start the review and significantly decrease the time a reviewer spends trying to understand the code.
- Then ask developer to provide you all code file along with web.config file. The web.config file is the configuration file of the application where all basic settings of servers are associated with and Headers implementation as well.
Secure Deployment Checklist
The checklist should cover the most critical security controls and vulnerability areas such as:
- Data Validation
- Authentication
- Session Management
- Authorization
- Cryptography
- Error Handling
- Logging
- Security Configuration
- Network Architecture
During Manual Review
As program file contain lines of code(300–400lines), so we cannot do the manual review of each line of code. So the one technique to do review is search the specific string by using Control+F in code file which is responsible for some actions. Below is mentioned useful string and its related description.
Above all the string is responsible for some actions in web application which leads to vulnerability. Some attached POCs for you reference.
I hope you guys will get at least basic idea on Manual secure code review. Further, in next blog we will discuss each code part against different programming languages in details along with mitigation.
Thank You:)
Happy Hacking!!!
Keep learning and achieving ;)