In a world of automated static analysis tool, does the tedious, and often painful, process of manual security code review hold any value?
I would say, Yes!
Manual Security Code Reviews help-
- in understanding the intentions of the developer
- in understanding business intentions and logic
- in eliminating false positives that automated tools are prone to
- in identifying data validation, authentication, authorization, and cryptography vulnerabilities and flaws
- in identifying backdoors
- in examining hidden or less-traversed code paths (often missed by automated tools)
And in what scenarios should you opt for automated testing?
- for buffer/stack overflows and underflows – these would be very difficult to identify with manual reviews
- for very large code bases – doing a manual review is exhausting and can to more misses than discoveries when a review team has to sift through hundreds of thousands of lines of code.