The Case for Manual Security Code Review

In a world of automated static analysis tool, does the tedious, and often painful, process of manual security code review hold any value?

I would say, Yes!

Manual Security Code Reviews help-

  • in understanding the intentions of the developer
  • in understanding business intentions and logic
  • in eliminating false positives that automated tools are prone to
  • in identifying data validation, authentication, authorization, and cryptography vulnerabilities and flaws
  • in identifying backdoors
  • in examining hidden or less-traversed code paths (often missed by automated tools)

And in what scenarios should you opt for automated testing?

  • for buffer/stack overflows and underflows – these would be very difficult to identify with manual reviews
  • for very large code bases – doing a manual review is exhausting and can to more misses than discoveries when a review team has to sift through hundreds of thousands of lines of code.