What is Code Review?
Code review is a code review practice that is widely used in projects open source and by software development companies and information security.
In terms of security, it boils down to scrutinizing all the source code of an application looking for vulnerabilities, be they logic or dangerous functions that can bring risks to the application. A safe code review does not attempt to identify all code vulnerabilities, but seeks to provide insight into the types of problems that exist and to help application developers understand what classes of flaws are present.
A secure code review focuses on seven security mechanisms, or areas:
- session management
- Data validation
- error handling
An application that is weak in any of these areas becomes a target for an attacker and increases the likelihood that the application will be used in an attack. A secure code review should inform programmers of the strength of the source code in each of these areas.
Manual vs. Automated Review
Code review can be approached automatically or manually, both approaches have their advantages and disadvantages.
– Researcher will look line by line trying to identify vulnerabilities.
– It requires a good amount of experience
– It takes a lot of time depending on the size of the application to be tested
– A tool will be used that will automatically look for security holes in the code
– The price of tools is relatively high
The best option for a code review is to understand all the advantages that manual and automated review brings and then adapt so that the job is done in the best possible way.
When to perform a code review?
Security must be present from the beginning of a project, whether it is helping developers write more secure code or creating threat models, however code review is most effective at the end of a project's source code writing, when all functions and features have already been developed.
Doing a code review does not necessarily mean that all vulnerabilities have been found, it is just one of many ways to implement security in the development of a software.
*Renato Dante is a Trainee Cyber Security Consultant at [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, who constitute, in large part, the 100 largest companies in Brazil. Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, processes and people solutions.