What is Secure Code Review?
What does Secure Code Review involve?
A secure code review focuses on seven security mechanisms, or areas. An application that is weak in any area makes itself a target for a malicious user and increases the likelihood that the application will be used in an attack. A secure code review should inform the developers of the soundness of the source code in each of these areas:
- Session management
- Data validation
- Error handling
Several weaknesses (flaws) can affect each of the preceding security mechanisms. Flaws in the handling of passwords often affect authentication. Flaws related to the type of information included in a message often affect error handling. Flaws in regular expressions often affect data validation.
Almost all software development life cycles include testing and validation, which is often accomplished as a code review by either a peer or an external entity. The review verifies that the application functions as expected and that required features have been implemented correctly. Code reviews are important and should still occur. However, an additional review with a focus solely on security should also be conducted.