IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [code-review]

Questions about how to audit source code for security issues. Do note that requests for full code reviews are not on topic.

115 questions
87
votes
6 answers

How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me?

I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm just stating what I personally use for the sake…
Paranoid Android
  • 711
  • 1
  • 4
  • 4
51
votes
3 answers

Security Review - password_hash implementation for PHP

I'm currently working on a "helper function" for PHP's core to make password hashing more secure and easier for the majority of developers. Basically, the goal is to make it so easy, that it's harder to invent your own implementation than to use the…
ircmaxell
  • 1,416
  • 12
  • 16
45
votes
5 answers

How to perform a security audit for a PHP application?

I have a PHP application that I would like to have audited for security. I'm familiar with most of the general security issues, but want to make sure I didn't miss anything. What steps should I take to perform a self-audit? What tools are…
VirtuosiMedia
  • 3,142
  • 3
  • 26
  • 32
37
votes
6 answers

Teaching a loved one about secure coding practices

This might be far too narrow, but it is a unique problem to ITSec professionals. A loved one is just starting out in a new programming career and I get the joy of watching her learn the most basic programming concepts from scratch. She is at the top…
schroeder
  • 123,438
  • 55
  • 284
  • 319
23
votes
3 answers

What ways are there to verify a self-written protocol?

Before everyone goes yelling: "NEVER DO YOUR OWN CRYPTO", I haven't, technically (I'm still half way), but apart from that I am making a TLS-like protocol, but way lighter. I needed to secure communication between several embedded systems with very…
Vincent
  • 433
  • 3
  • 9
22
votes
3 answers

White-box vs. Black-box

What are the relative advantages and disadvantages of each form of testing? I.e. What is the difference between static code analysis and runtime/dynamic penetration testing? What are the pros and cons of each? Are there situations where one is…
AviD
  • 72,138
  • 22
  • 136
  • 218
22
votes
4 answers

Suspicious JavaScript in website header

I am not sure if this is the correct place to ask a questions such as this, apologies if it isn't. I have found the below code in the header of one of my wordPress websites, I am pretty sure it is malicious and I have removed it. However I am…
bf2mad
  • 401
  • 3
  • 9
18
votes
4 answers

Criteria for Evaluating Static Analysis Tools

As with any tools purchase part of the outcome is in how good the evaluation criteria are, so it is important to understand the criteria people might use when assessing Security static analysis tools. Obviously the weighting on each criterion would…
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
18
votes
6 answers

Automated tools vs. Manual reviews

What are the advantages of using automated tools, as opposed to manual review? What are the disadvantages? This applies both to external blackbox vulnerability scanning, and to static code analysis. From the original Area51 proposal
AviD
  • 72,138
  • 22
  • 136
  • 218
16
votes
3 answers

Getting a manual security code review done - What to watch out for?

We have a PHP application that we want to get code reviewed from an external security consultant, but I'm not clear on "how to" go about that process. We did specify what kind of tests he should be doing, and the first part of his submitted report…
matt74tm
14
votes
6 answers

Code Analysis: Binary vs Source

While conducting a software security assessment, if you have access to the source code of a compiled application (say C++), would you ever do any analysis upon the compiled version, either with any automated techniques or manually? Is fuzzing the…
TobyS
  • 1,597
  • 1
  • 12
  • 17
11
votes
3 answers

Can anyone suggest good open source tools for scanning source code for vulnerabilities?

I'm particularly looking ones which detect vulnerabilities in C/C++ code. I've seen a bunch of proprietary tools but no open source ones.
Magnus
  • 1,154
  • 10
  • 18
11
votes
1 answer

Is NoScript bad?

I just came to know about NoScript, but after installing it opened the author's homepage with an advert for 'SpeedUpMyPC' that pointed to a UniBlue website, which I found fishy. Googling turned up this, but it's been many years now since that time.…
user21820
  • 623
  • 1
  • 6
  • 13
10
votes
3 answers

Finding security consultant for doing in-depth code review?

We have a PHP application that we know has poor coding practices (because the developers did not have a good understanding of PHP / programming fundamentals). This could lead to the scenario where we have severe security flaws in our code even at…
siliconpi
  • 1,087
  • 1
  • 10
  • 20
10
votes
1 answer

How to encourage responsible disclosure (and react appropriately otherwise)

As a conscientious programmer, I put security as one of the core requirements of every product I develop. To prevent flaws from being introduced, I promote a culture of awareness (e.g. make sure that team members I work with know about common…
Alessandro Menti
  • 233
  • 2
  • 8
1
2 3 4 5 6 7 8