5 best practices for perfect security code auditing

Translated from 5 Best Practices for the Perfect Secure Code Review, The advantages and disadvantages of manual audit and automated code audit are analyzed clearly , At the same time, I think it is reasonable to put forward several best practices , In line with our practical experience .

Imagine , You've been trying to integrate security tools and processes throughout the development process , Now it is only a few days or hours before the application is released or updated . Are your apps ready ？

In the wrong ！ In the security process , You have one more step , Then the green light can be turned on at the safety link ： Security code review . In many industries including healthcare and payment verticals , Security code reviews are a mandatory part of compliance requirements , They provide additional security before releasing the application . Whether or not mandatory , Security code reviews provide added value to the security of applications and the entire organization .

Security code review is a process in which the process organization identifies and fixes potential risk security vulnerabilities at the later stage of the development process . As the last safety valve before application release , Security code review is an integral part of the security process . They serve as a final check , To check that your code is secure , And whether all dependencies and controls of the application are safe and have application functions .

from Jeff Williams Written OWASP Code review guide Speak well ：“ Code is your only advantage over hackers . Don't give up this advantage , Only external penetration testing . Please use the code .”

What is security code review

If you integrate security testing throughout the development process , You may think your release is safe . however , Through automation and / Or manually check to ensure that the application implements the security mechanism correctly , You can't ensure that there are problems or vulnerabilities that cannot be detected by security tools at the last minute .

This is what security code checking does . Just like we check again before sending an important document , Application needs “ Last check ”, To ensure that the application and its components are free from security flaws . Security code reviews are used to detect all inconsistencies not found in other types of security tests , And ensure that the logic and business code of the application is reliable . Reviews can be done manually and automatically —— We will discuss the pros and cons of each technology later .

Verify the security of the code through the security code review , It also reduces the time and resources required to detect vulnerabilities after release . The security vulnerabilities found in the security code review process have led to numerous violations , Resulting in billions of dollars in lost revenue 、 Fines and customer churn .

The focus of the security code review is to find defects in each of the following areas ： Authentication 、 to grant authorization 、 Security configuration 、 session management 、 logging 、 data validation 、 Error handling and encryption . Code reviewers should be proficient in the development language of the application they are testing , And the knowledge of security coding practices and security controls that they need to pay attention to .

Another important requirement for reviewers is to understand the full context of the application , Including its target audience and use cases , To be able to successfully review the code . If there is no context , Code reviewers will not be able to protect certain parts of the code , These parts may seem safe at first glance , But it may actually be vulnerable . Understand the context in which the application will be used and how it will work , Is the only way to ensure that the applications you use are adequately protected .

Manual and automatic security code reviews

When selecting tools and processes for conducting security code reviews , You may encounter such a problem ： What tools should be used , Should we use automated tools or manual inspection . Which is better? ? And SDLC As in other areas of , The best way is to mix the methods , Combined with powerful Static code analysis tool Conduct manual review and inspection . The following are the advantages and disadvantages of the two review methods :

Automated code review benefits

• Detect vulnerable vulnerabilities and hundreds of other vulnerabilities , Include SQL Injection and cross site scripting

• In agile and continuous integration environments , The ability to quickly and massively test code is critical

• Be able to schedule and run on demand

• Ability to add non security checks including business logic

• Ability to extend automated testing to the needs of the organization

• According to the choice of tools , According to the needs of the organization , In particular, specific compliance specifications and high-value applications , Customize automated source code review tools

• It can help improve the security awareness of developers , And provide a way to better train developers using the tool

Disadvantages of automated code review

• Tools that do not allow fine tuning and customization may generate false positives and false positives

• Coverage and breadth actually depend on you Selected tools And the languages it covers 、 Framework and standards

• It provides a learning curve for those unfamiliar with static code inspectors

• Despite the powerful universal development language automated review Open source tools , But they don't always fit the budget plan

Advantages of manual code review

• Ability to drill down into code paths , Check the design and architecture for logical errors and defects , Most automated tools cannot find these errors and defects

• Compared with some automation tools , Manually detect authorization 、 Security issues such as authentication and data authentication work better

• For high-value applications , There is always extra space to use ( Those who need professional training )

• Viewing other people's code is sharing security code and AppSec A good way to learn

Disadvantages of manual code checking

• Proficiency in the language and framework used in the application is required , And need to have a deep understanding of security

• Different reviewers will generate different reports , This leads to inconsistent results among reviewers —— Although peer review can be a fix

• Testing and reporting are timely , And it often requires developers to participate in sometimes long interview meetings , To provide context for reviewers , This consumes developers' time and resources

• The number of lines of code exceeds 10-15k Manual review of applications for is limited to high-risk functions

The application has thousands of lines of code , And we have been shortening the cycle of releasing new applications and versions . For all that , But we can't compare 10 To 15 Years ago, code was reviewed faster . On the other hand , No tool or person is perfect .

Besides , Wikipedia entry on Application Security Express ,“ The human brain is more adapted to track every possible path by compiling a code base , Automated commercial source code analysis tools to find the root cause of vulnerabilities , They tend to filter more 、 Interrupt and output reports .“ in many ways , Manual and automatic source code reviews complement each other , They all cover the usually weak parts of each other .

As application security tools mature , You will find manual and Automatic code review Should have a place in it . therefore , If your budget takes into account both the cost of the tool , The cost of internal or outsourced reviewers is also considered , Then it is best to mix automated and manual reviewers in your normal security activities .

Improve code security 5 Tips

1. Generate code reviews checklist, To ensure consistency of reviews for different developers

When doing manual code checking , Ensure that all inspectors use the same comprehensive checklist . Just as the developer who writes the code is human , May ignore the same secure coding practices , If you do not use a well-designed checklist , Reviewers may forget certain inspections .

Besides , Enforce time limits and forced interrupts on manual code reviewers . remember , It's like we're finishing our email , Even after reading for several hours, you will feel tired , Reviewers also feel tired . It is important to ensure that the reviewers are at their best , Especially when looking at high-value applications . meanwhile , Spending a specific amount of time on source code reviews can also motivate reviewers to complete their work in the right time .

2. Ensure a positive security culture by not directly pointing out developers

It's easy to point out that developers often make the same mistakes , Especially through some tools that can compare the results . When building a safety culture , It is important to avoid playing the blame game with developers , Otherwise, this will only deepen the differences between security and developers . Use your findings to help guide your safety awareness training , Take these common mistakes as a starting point , And use relevant examples that developers should be aware of .

Again , If developers feel that someone is watching them , Be ready to correct every mistake you make , Then they won't improve security . Raise their safety awareness in a more positive way , So your relationship with the development team , More important is the relationship with the whole organization , Will benefit .

3. Check your code every time you introduce meaningful changes to your code

If you have a safe SDLC, You will understand the value of testing your code regularly . The security code review does not have to wait until it is released . For major applications , We recommend performing a manual code review when introducing new changes , Save time and effort by reviewing applications in chunks .

4. The combination of manual inspection and tool use is the best way to detect all defects

Tools ( not yet ) Have human thinking ability , Therefore, it is impossible to detect problems in the code logic , And if you don't fix such defects in a piece of code , It is difficult to correctly estimate the risk of the organization . therefore , As we discussed above , Mixing static analysis testing with manual review is the best combination to avoid missing blind spots in your code . Use your team's expertise to examine valuable areas of more complex code and Applications , And rely on automated tools to cover the rest .

5. Patterns for continuous monitoring and tracking of unsafe code

By tracking the duplicate problems you see between the vulnerability report and the application , You can review by modifying your security code checklist And the application of safety awareness training to help promote future reviews . Monitoring your code allows you to gain insight into patterns that can lead to certain defects , And help when you update the review guide .