Conduct secure code reviews before, during and after app development

For best defense, developers need multi-pronged approach to application testing

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Put your­self into the shoes of a soft­ware devel­op­er and pic­ture this:

An appli­ca­tion or update is days, or pos­si­bly just hours away, from release and you’ve been work­ing hard to ensure that secu­ri­ty tools and process­es are inte­grat­ed through­out the devel­op­ment process. You believe you’ve fol­lowed all the steps and your app is ready to go, right?

Wrong. You have one more step in the secu­ri­ty process before you can give the green light: a secure code review.

Relat­ed pod­cast: How appli­ca­tion secu­ri­ty test­ing can dove­tail into ‘DevOps’

If you’re won­der­ing what a secure code review is, it’s the process orga­ni­za­tions go through to iden­ti­fy and fix poten­tial­ly risky secu­ri­ty vul­ner­a­bil­i­ties in the late and final stages of devel­op­ment. They serve as a final step to ensure your code is safe and that all the depen­den­cies and con­trols of the appli­ca­tion are secured and func­tion­al. Here are six fun­da­men­tals to onboard­ing secure software.

Run through a check­list. This may seem obvi­ous, but keep­ing the review process con­sis­tent is extreme­ly impor­tant. When con­duct­ing man­u­al code reviews, make sure all review­ers are work­ing off of the same com­pre­hen­sive check­list. Enforce time con­straints as well as manda­to­ry breaks for man­u­al code review­ers. It’s impor­tant to ensure the review­ers are at their sharpest, espe­cial­ly when look­ing at high-val­ue applications.

Keep things pos­i­tive. It’s easy to sin­gle out devel­op­ers for mis­takes. How­ev­er, if you want to build a pos­i­tive secu­ri­ty cul­ture, it’s impor­tant to refrain from play­ing the blame game; this only serves to deep­en the gap between secu­ri­ty and devel­op­ment. Use your find­ings to help guide your secu­ri­ty edu­ca­tion and aware­ness pro­grams, using mis­takes as a jump­ing off point to spot­light what devel­op­ers should be look­ing out for.

Rely on a mix of humans and tools. Tools aren’t armed with the mind of a human, and there­fore can’t detect issues in the log­ic of code and the risk to the orga­ni­za­tion if such a flaw is left unfixed. Thus, a mix of sta­t­ic analy­sis test­ing and man­u­al review is the best com­bi­na­tion to avoid miss­ing blind spots in the code. Use your team’s exper­tise to review more com­pli­cat­ed code and valu­able areas of the appli­ca­tion, and rely on auto­mat­ed tools to cov­er the rest.

Cre­ate a defense with depth. At some point, even when being over­ly cau­tious and tak­ing all the nec­es­sary steps to ensure safe code, a breach can still hap­pen. To com­bat that, prac­tice “defense in depth”. This prin­ci­pal is all about lay­er­ing defense tools in order to min­i­mize the num­ber of holes in an appli­ca­tion that would allow dif­fer­ent attacks to take place. The idea behind defense in depth is that if one secu­ri­ty lay­er fails, the next will be there to catch what­ev­er attacks fall through the cracks of the first layer.

Track pat­terns and con­tin­u­ous­ly mon­i­tor. By track­ing repet­i­tive issues that show up on reports and appli­ca­tions, you can help inform future reviews by mod­i­fy­ing your secure code review check­list, as well as your AppSec aware­ness train­ing. Mon­i­tor­ing code offers great insight into the pat­terns that could be the cause of cer­tain flaws, and will help you when you’re updat­ing your review guide.

Review, review and review some more. If you have a secure Soft­ware Devel­op­ment Life Cycle in place, you under­stand the val­ue of test­ing code on a reg­u­lar basis. Secure code reviews don’t have to wait until just before release, instead, review code each time a mean­ing­ful change has been intro­duced. For major appli­ca­tions, try per­form­ing man­u­al code reviews when new changes are intro­duced, sav­ing time and human brain­pow­er by hav­ing the app reviewed in chunks.

More sto­ries relat­ed to soft­ware security:
Done right, pair­ing of DevOps and cyber­se­cu­ri­ty coor­di­nates strengths of both
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development
Secu­ri­ty by design: Embed pro­tec­tion dur­ing soft­ware development