Code reviews are a huge part of taking security into the SDLC process.
While manual code reviews are tedious, labor-intensive, and require a person who knows to code and does security, it can vastly improve the organization’s security posture.
Manual code review can be broken down into three steps-
- Understand the premise
It’s important to understand why the code was written and the intended business function. Interviewing the developers will help the AppSec person to get a context to the code being reviewed. It also important to ask questions pertaining to how the security pieces were handled – data validation, authentication, logging etc.
- Review the code
The actual review of the code requires patience and persistence. A suggested best practice for a team of reviewers is for each reviewer to review the code as a whole, rather than splitting them into individual files for each reviewer.
This will ensure a second layer of review of each review’s work, provided a more holistic view, and also play to the strength’s of each individual reviewer strengths, as not all reviewers look for the same pattern anomalies or security entities, and each one has their own way of approaching code reviews.
- Document and report the results
Once the reviewing of code is completed, typically the review team meets to discuss and compile individual results. This step also helps to prioritize and quantify the security issues discovered. A report enumerating the findings, descriptions, priority rating, and potential mitigation methods is compiled and submitted to the development team.
MITRE has a sample Secure Code Review Report uploaded here-