Secure Code Review

What is Secure Code Review?

A secure code review is a specialised task involving manual and/or automated review of an application's source code in an attempt to identify security-related weaknesses in the code. A secure code review does not attempt to identify every issue in the code, but instead looks to provide insight into what types of problems exist and to help the developers of the application understand what classes of issues are present. The goal is to arm the developers with information to help them make the application's source code more sound and secure.

What does Secure Code Review involve?

A secure code review focuses on seven security mechanisms, or areas. An application that is weak in any area makes itself a target for a malicious user and increases the likelihood that the application will be used in an attack. A secure code review should inform the developers of the soundness of the source code in each of these areas:

  • Authentication
  • Authorisation
  • Session management
  • Data validation
  • Error handling
  • Logging
  • Encryption

Several weaknesses (flaws) can affect each of the preceding security mechanisms. Flaws in the handling of passwords often affect authentication. Flaws related to the type of information included in a message often affect error handling. Flaws in regular expressions often affect data validation.

Almost all software development life cycles include testing and validation, which is often accomplished as a code review by either a peer or an external entity. The review verifies that the application functions as expected and that required features have been implemented correctly. Code reviews are important and should still occur. However, an additional review with a focus solely on security should also be conducted.

Contact us now for a quote or additional information