1

I've been writing software for ~7 years and have been actively interested in security for ~2-3. This interest has been entirely self-motivated and primarily on the attack side; I've written several FOSS offensive security tools and taken deep dives in certain attack vectors like DNS rebinding. Because of this experience I've managed to land my first infosec job as an Application Security Engineer at a VPS/cloud compute company. One of my roles will be to conduct regular code reviews of all of the software we build. I'm no stranger to reading code, and making informal suggestions, but this will be my first time conducting systematic and formal reviews of other people's code on a regular basis. To be honest, I'm a bit intimidated. I have a passion for security that I've exercised on my own for years, but I've never been in charge of making high-risk authoritative recommendations on the subject, at least not at a code level.

Does anyone have any suggestions for ways to gain experience or comfortability with conducting security related code reviews? I've got two weeks before assuming the role and I'd love to get some experience with reviewing code and learning to recommend best practices before I appear at the company as some sort of authority figure. Any general advice, recommendations, or thoughts are much appreciated!

Brannon
  • 135
  • 4
  • I think your question is more about manual code review, however, from a vulnerability scanning perspective we have found blackduck pretty good along with npm audit. This is probably not going towards really answering your question but I thought it might be of use. – Darragh Oct 24 '18 at 00:50
  • 1
    If you're looking for experience reviewing code, and getting info about code reviews then you want to check out the StackExchange called Code Review. People post code there, and other people review it. – Daisetsu Oct 24 '18 at 02:20

2 Answers2

2

You could take OWASP ASVS as a baseline. It provides quite comprehensive coverage of software checks broken down into next categories:

Architecture
Authentication
Session Management
Access Control
Input validation and output encoding
Cryptography
Error Handling
Data Protection
Communications
Malicious Code
Business Logic Flaws
Files and Resources
Mobile
API
Configuration
Internet of Things

As you can see the field could be quite wide, so I'd recommend to build a threat model of reviewed application to prioritise your approach - basically, to review most critical parts first.

Going further, you can implement language-specific checks like those provided by CMU.

odo
  • 692
  • 4
  • 6
  • It looks like there is also an [OWASP Code Review Guide](https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project)! – Brannon Oct 24 '18 at 13:43
2

I wouldn't worry about being an imposter. You have the development background to be able to relate to developers and they will probably be psyched to have someone from security who understands appsec for a change.

However, unless there are only a few applications in scope, what you are proposing is too big a job for one person to do manually.

  • You have to encourage security champions in the development staff. A security champion is a developer who is where you were a couple of years ago in terms of security interest. And you let them conduct the code reviews of their team's code.

  • There are static code analysis tools to help narrow the search for possible bad practices. Veracode (pricey), CodeDX (cheaper and not as accurate) and SonarQube (Open source).

Part of your question is how to even do a code review. I got a lot out of the following videos: https://www.youtube.com/watch?v=7a5nN_sfK1E

https://www.youtube.com/watch?v=1m3eRFeCInY

mcgyver5
  • 6,807
  • 2
  • 24
  • 45