Secure Code Review: How Secure is Your Code?

How Secure Is Your Code?

For many companies who develop software, throughput is always a critical metric. Directors, managers, and project leads constantly focus on the speed at which they are moving forward. Truth be told, they have to maintain this focus. If new code and applications are not being released on a regular basis, often the company’s bottom line is negatively affected. Thus, they charge forward developing, testing, and releasing software that is functional and visually appealing to the customer. During testing, they look for any bug, glitch, or error that may negatively affect one of those key areas. Does it impact usage by the customer? Does it impact the appearance of the application? Notice, no mention of secure code review.

The line of questioning rarely asked during the testing process is: How secure is this code? Are there any vulnerabilities or risks being introduced to our systems or data? Is this code manageable long-term? The reason, because these questions and their answers rarely have a negative impact on user functionality and appearance, and almost always impact throughput. So why then are they important? Why is secure code review necessary if it appears to only negatively affect the process? The answer, a company may one day regret it and quite literally lose everything if the questions are not asked.

What Is Secure Code Review

Secure code review is simply this: “… the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment. Secure code review is a method of assuring secure application developers are following secure development techniques.” – OWASP. This testing can and should include a combination of both manual and automated testing. This will help increase both efficiency and the likelihood of vulnerabilities being discovered. This is not, nor should it ever be, a method for pointing blame. This is a process to reduce corporate liability and identify additional developer training needs.

Why Does My Organization’s Code Even Have Vulnerabilities?

In summary, any and all software has some degree of vulnerabilities and risks due to the inherent complexities of modern day software. Proper organizational security must be a layered process comprised of every part of process from development, to testing, to release, to hosting, and maintenance. For more information, we recommend reading our article on the Equifax Data Breach.

Automated Secure Code Review

Automated secure code review is usually the easiest and fasted method of taking an initial step into the realm of reviewing your code for vulnerabilities. This can be accomplished by writing custom scripts or the purchasing 3rd party tools designed for this purpose. Often, automated secure code scanning tools can often be integrated directly into your development build tool chain so that it happens automatically with each build. Most code scanners are then able to send email notifications or open tickets automatically based on their findings.

Automated secure code scanning is typically an easy way for a company to immediately start reviewing their code. It is excellent for identifying vulnerabilities that are more easily identified by a computing system – like buffer overflow attacks. However, as with most automated tools for security analysis, it focuses on quantity of quality. Automated scanners are great because they can review large quantities of data rapidly. However, they can only find and identify issues that are recognizable via known patterns and formats. This is why in and of itself, while it is a great place to start, it is an incomplete solution.

Manual Secure Code Review

As the name sounds, manual secure code review is the process of someone, typically with a security background and who is not the original developer, reading through each line of code in context searching for vulnerabilities and potential dangers. This can obviously be very time consuming and can even seem like an insurmountable task. However, if code is properly maintained within a source code repository with change tracking, after the initial full review, it is often possible for the differentials to be the only section of code needing to me manually reviewed on a regular basis. That being said, it is still good practice to schedule a complete manual review on some degree of a regular basis.

Manual code reviews are often best performed by 3rd party entities. This is the case for two primary reasons. One, 3rd party resources offer an external perspective and are likely to find and identify issues that have been glanced over and not recognized by internal personnel who have seen and reviewed the code so frequently. Secondly, 3rd party entities are not going to be concerned about hurting feelings or company politics, yet they are still capable of developing and releasing a complete report. Internal auditors often have to carefully navigate corporate politics so as to not ruin relationship and interfere with bottom line metrics.

What Are The Key Components of a Manual Secure Code Review?

According to MITRE, proper secure code reviews are comprised of interviews, code reviews, and report delivery. Interviews are a critical initial stage of the process where questions are asked of the developers. These questions and answers are used to ascertain the intent of the developer and their application, the overall knowledge and skill level of the developer, and their awareness of secure coding practices. Often, the answers provided during the interview segment will help shape the code review stage, making it more effective and more efficient.

The Code Review stage is literally that; it is the process of an individual or team of individuals manually reviewing the entirety of an application’s code, reviewing each line, function, and class in context and process flow to search for vulnerabilities – either direct or inherited. Finally, the reporting stage is crucial. During this stage, the code auditors must pull together the data from the interviews and findings from the code review into a clear and succinct document that identifies the issues, risks, and vulnerabilities discovered in a professional manner. This document must be understandable to a variety of people, often from the CIO/CEO down to the developers themselves. Thus, it is often best practice to include an executive overview followed by the detailed findings and proofs. This allows companies to begin taking action with the findings immediately.

Wrapping It Up

Development and applications will always have defects and vulnerabilities. As mentioned, it is the reality of today’s world due to the complexity of modern day software. However, your company should be striving to constantly review, revise, and maintain its code using best security practices, including Secure Code Review, in order to minimize your risk and overall liability. Frequently, litigation takes place based around and impacting companies that were not performing minimal due-diligence to ensure the safety of their customers and data.

Secure Code Reviews are a key component of due-diligence for any software development organization or team. If your organization would like to begin the process of integrating secure code reviews into their development process or you need assistance with secure code development or training, you can reach us below or by calling 855-477-4842. We would be glad to have a discussion with you and help identify areas where we may be able to help your organization.

Request Information

[contact-form-7 id=”2544″ title=”Blog Post Contact Form”]