Whether you’re reviewing a team member’s pull request, pairing, or even reviewing your own code before deploying, code review provides a moment to step back from the code and ask yourself the important questions.
Does this do what it’s supposed to? Did I miss any bugs? Will the code be easy to work with next time? But do you ask any questions about the security of the code you’re looking at? Most of us still don’t know how to tell if code is secure.
Here are eight security questions to ask yourself the next time you’re reading or reviewing code.
1. Where’s the input going?
The number one trick hackers use to exploit an application is to trick it into treating user input as code. Common examples of this are SQL Injection and Cross-site Scripting attacks. When we review code, we should always pay attention to how any new input in the system is treated.
The first thing to check is whether the input’s being used in code that will be evaluated, like in a regular expression or a database query? If it is, it should be properly sanitized.
The next thing is to think about what the data will be used for later. Is it being stored in a database? Is it being sent off to another service? Will it eventually be displayed to a user? You either need to know it will be sanitized or escaped when it’s used, or you’ll need to sanitize it on the way in.
The systems many of us work on today are highly distributed. This introduces the problem that you never quite know where data will end up or what it’ll be used for. It’s likely your API will expose potentially compromised data to other microservices, your data lake, or even third parties. Keep this in mind when considering which measures are enough to consider your code secure.
2. Are the right AAA checks in place?
Every interaction with your system should check the following boxes:
Authentication – Does the code check that the request really is coming from the person or system it claims to be coming from? E.g. does the user have a valid JWT?
Authorization – Does the code check the user is allowed to perform the action in question? E.g. does the user have the admin role?
Accounting – Does the code record who did what, so that you can check back later in case there is an issue?
Always keep an eye out for AAA slip-ups when reviewing code—they’re one of the easiest mistakes to make—and make sure there are some automated tests for any new AAA code to prevent it being accidentally removed in future.
3. Are the assets changing in a meaningful way?
It’s good to have a plan for how to protect your data, but what happens when the kind of data you hold changes? When reviewing code,be on the look-out for any changes that affect the overall security profile of the application. Sometimes a seemingly small change can actually increase a company's legal liability for security issues and would require additional processes and practices to be implemented in order to keep users' data safe.
For example, if the code you’re reviewing introduces a new field regarding a user’s personal health, this would be classed as Special Category data by European law, so you’d need to have a good reason to store it and will need to be extra careful with your data in future if you do decide to store it.
4. Are you leaking data?
It’s very easy to accidentally return too much information in an API response. Let’s say you have a user object and your website allows users to browse other user’s profiles to view some public info. An easy mistake to make would be to make an API call for the user whose profile is being viewed, and return the whole object from the database. This might leak sensitive information such as a phone number or email address. When reviewing new code that returns data, check to see whether there’s an allow-list in place that ensures that only the specified fields are included in the response.
For logging, ensurethat any new logging code is only including the information required to find and diagnose issues. Pay particular attention to makingsure that no personal information such asemail address is beinglogged. Remember that you can mask or truncate information too.
5. Are new 3rd party dependencies okay?
Does the code you’re reviewing introduce any new third-party code? If it does, it’s a good idea to do a little due diligence to see if the dependency is reliable and secure. Is it widely used? Well maintained? Remember to ask if there’s a simple way to achieve the task in question without adding a new dependency. Snyk’s Advisor tool is a handy way to check key stats for a new package you’re considering.
6. Have you checked the borders?
Security issues exist at the edges of our systems. Where user input arrives, where systems talk to a database, where theycall an external service, or place messages on a queue. These are the key files to survey when reviewing code for security issues.
If I only had time to check two files in a new pull request for a modern web application I would look at the controller (or wherever the incoming request was dealt with) and the database access logic.
7. Has the config changed?
Security breaches are often the result of misconfiguration. I often see news stories about data being leaked because someone forgot to turn security on for their AWS S3 bucket, for example.
Config changes are usually small and often overlooked, but make sure that they make sense. Of course the biggest step to take is to manage your Infrastructure as Code. If your config is done manually there won’t be any code to review and very little chance of security issues being picked up.
8. Is anything being cached?
Few things are quite as embarrassing as showing one user’s sensitive information to another. Modern applications often have to operate at scale, and therefore caching becomes an important part of ensuring your system remains performant.
But there are some bits that should be cached and some bits that shouldn’t. Importantly, there are some bits that should be cached per user (using a cache key), so that you don’t end up putting one user’s bank balance on everyone else’s profile. Have a good understanding of your system’s default caching behavior and ensure that new endpoints will work with it in the right way.
Trainyour eyes for security
People who “have a good eye for software design” are often great at reviewing code, because they ask the right fundamental questions about the code in question. Now that we all recognize the importance of secure coding, it’s time to train yourself to have a good eye for security too.
Keep this list of question handy the next time you’re reviewing code and soon you’ll be known in your team as the person most likely to spot security issues before they’re shipped.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testingwithTechBeacon's Guide. Plus: Get Gartner's2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape withTechBeacon's Guide to Application Security Tools 2021.
Downloadthe freeThe Forrester Wave forStatic Application Security Testing. Plus: Learn how a SAST-DASTcombo can boost your securityin this Webinar.
Understand the five reasons why API security needs access management.
(Video) Microsoft Security Compliance and Identity (SC-900) - Full Course PASS the ExamLearn how to build an app sec strategy for the next decade, and spend aday in the life of an application security developer.
Build a modern app sec foundationwithTechBeacon's Guide.
FAQs
What are the questions to ask for a code review? ›
- What is the aim when you do code review? Add value to System. ...
- When do you do code review? I do a highly focused code review when: ...
- What are the good practices in doing Code Reviews? Ideally Pair Programming Reviews. ...
- What are the things you look for in the Code Review? Architecture.
- Download the code to be tested.
- Check the file/folder structure to confirm that nothing is missing.
- Open the code in an IDE or text editor.
- Search the code for: ...
- Scan the code with static analysis tools.
- Log valid security issues into a reporting tool and cross off invalid issues.
A good rule of thumb is that well-written comments should explain why particular lines of code exist rather than what the code is doing. Going back to the code's complexity, comments explaining what the code is doing shouldn't be necessary. The code should be easy enough to understand on its own.
How do you ensure your code is secure and reliable? ›- Security by Design.
- Password Management.
- Access Control.
- Error Handling and Logging.
- System Configuration.
- Threat Modeling.
- Cryptographic Practices.
- Input Validation and Output Encoding.
Secure coding, the principle of designing code that adheres to code security best practices, safeguards and protects published code from known, unknown and unexpected vulnerabilities such as security exploits, the loss of cloud secrets, embedded credentials, shared keys,confidential business data and personally ...
What are the 7 steps to review code? ›- Set Early Expectations. With the developer about annotating their source code before the review. ...
- Determine Quantifiable Goals. ...
- Have a System to Capture Metrics. ...
- Plan Enough Time. ...
- Peer Review Documents. ...
- Take 20 Minutes Breaks. ...
- Verify that Defects Are Actually Fixed. ...
- Use Code Review as a Team Building Activity.
There are six essential key elements of cybersecurity such as application security, information security, network security, disaster recovery plan, operational, and end user security.
What is a secure coding checklist? ›The checklist for secure coding is below: Authentication with secured password. Session Management with complete user details. Access Control and manage with proper verification of user.
What is the security review process? ›Security review management is a collaborative process that identifies security-related concerns, determines the level of risk associated with these issues, and makes informed decisions for risk mitigation or acceptance.
What makes a good code reviewer? ›Good code reviews look at the change itself and how it fits into the codebase. They will look through the clarity of the title and description and “why” of the change. They cover the correctness of the code, test coverage, functionality changes, and confirm that they follow the coding guides and best practices.
What is code review example? ›
Code reviews, also known as peer reviews, act as quality assurance of the code base. Code reviews are methodical assessments of code designed to identify bugs, increase code quality, and help developers learn the source code.
How do you ensure code is efficient? ›- Create function. Repetitive processes can be a real drag in software development. ...
- Use loops strategically. Loops are some of the essential tools programmers use to improve efficiency. ...
- Avoid unnecessary variables. ...
- Leverage object-oriented programming.
If source code gets leaked or stolen, it can cause massive damage to your organization. It's not just about financial losses – it can also decrease customers' trust and negatively impact your reputation. That's why source code security should be among your priorities if it isn't already.
How do you protect code integrity? ›- Harden SDLC Tools, Configurations, Privileges. ...
- Validate Integrity in Every Step of the SDLC. ...
- Prevent Tampering of Critical Code and Configurations. ...
- Monitor Suspicious, Anomalous Behavior. ...
- Govern Code Integrity Across the Entire SDLC.
Variables, data types, sequence, selection, and iteration are examples of these basic concepts, which all new programmers need to learn.
What are the 3 basic coding concepts? ›- sequence is the order in which instructions occur and are processed.
- selection determines which path a program takes when it is running.
- iteration is the repeated execution of a section of code when a program is running.
- Identify the main term(s) in the diagnostic statement.
- Locate the main term(s) in the Alphabetic Index.
- Review any subterms under the main term in the index.
- Follow any cross-reference instructions, such as "see...".
- Verify the code(s) selected from the Index in the Tabular List.
The first Golden Rule of Code Reviews is simple: Review other people's code like you'd like your code to be reviewed. Code reviews should: Be kind– even if there's room for improvement, the message can be delivered with empathy. Be clear– make it easy for the reviewer to understand what you are saying.
What are the 3 types of coding reviews? ›Code review practices fall into three main categories: pair programming, formal code review and lightweight code review.
What is code review standard process? ›Code review is a software quality assurance process in which software's source code is analyzed manually by a team or by using an automated code review tool. The motive is purely, to find bugs, resolve errors, and for most times, improving code quality.
What is code review basic? ›
In short, a code review is where one or more developers review someone else's code to make sure it is appropriate and sufficient for the task at hand. It is carried out once the coder deems the code to be complete, but before Quality Assurance (QA) review, and before the code is released into the product.
What are the 7 elements of security model? ›The 7 Elements of Human Security are defined by the United Nations as: Economic, Environmental, Food, Health, Political, Personal and Community. We design projects and initiatives with our partners that holistically address these areas of Human Security.
What are the 7 aspects of security? ›The model consists of seven dimensions: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities.
How do I make a security checklist? ›- Create Strong Passwords. Strong passwords are critical to system security. ...
- Change Passwords. ...
- Avoid Untrustworthy Downloads. ...
- Scrutinize Attachments Carefully. ...
- View Email Messages Individually. ...
- Install Free Antivirus Software. ...
- Ensure Antivirus Software is Running. ...
- Ignore Unsolicited Emails.
This is a template checklist which you can use to audit your own data security arrangements. You can download and adapt it for your organisation. You must carry out a data security audit in order to complete the Data Security and Protection Toolkit to Standards Met or Standards Exceeded.
What are secure coding baselines? ›Secure coding baselines are the minimum secure coding requirements and a checklist for the project team to move to the next stage. Secure coding baselines are also part of the release criteria.
What are the 4 phases of assessing security controls? ›The Process. The process for conducting a security assessment is a relatively straightforward four-step process: prepare for the assessment, develop an assessment plan, conduct the assessment, and analyze the findings.
What are the three 3 phases of security assessment? ›The three main phases or steps of the security evaluation plan are Security Evaluation, Preparation, and Conclusion.
What is Action 5 of the coding process? ›Action 5.
Aligning the diagnosis codes with the procedure codes to ensure medical necessity is being evidenced is the next action that must be performed by professional medical coders. They may need their A&P textbooks to reference, but often logical, critical thinking can support success.
Data compression (or source coding) Error control (or channel coding) Cryptographic coding.
What is the 3 step coding process? ›
Open coding, axial coding, and selective coding are all steps in the grounded theory method of analyzing qualitative data.
How do I become a high quality code reviewer? ›Raise simple PRs
Developers reviewing more than 200 lines of code per hour, leads to lower quality source code². This makes for a human factor in code review. You should lower down lines of code per PR. You will get more feedback.
Calculated by dividing the number of defects by the time spent reviewing them. This metric helps determine the effectiveness of the testing process. For example, if developers are slow at finding defects, they may need better testing tools. Defect density: The number of defects identified in a given amount of code.
What are the key characteristics of a good code? ›- Readable.
- Efficiency.
- Robustness.
- Keep your code portable.
- Reusability.
- Can be read by humans.
- Self explanatory.
- Security.
However, there are five different types of code review and an actual, formal standard for conducting them.
How do you ask for code review? ›Ask questions
Code review is a dialog where two, or sometimes more, people are working together on improving a piece of code. To make it work, you need to understand each comment and the reasoning behind it. Keep asking questions until everything is clear: why something is a problem and what's the proposed solution.
To code faster, one has to be efficient; that is, no wasted effort or motion. This can mean everything from typing to tools to thinking. But most of our work as programmers isn't typing, or compiling—it's thinking. To think faster, you have to learn more patterns and relationships.
Which is not a secure coding practice? ›Improper Logging and Log Handling.
What is the risk of insecure coding? ›Risks of Insecure Software
An insecure application lets hackers in. They can take direct control of a device — or provide an access path to another device. This can result in: Denial of service to a single user.
Why is Data Security important? Data is a valuable asset that generates, acquires, saves, and exchanges for any company. Protecting it from internal or external corruption and illegal access protects a company from financial loss, reputational harm, consumer trust degradation, and brand erosion.
What are 3 ways data integrity can be compromised? ›
- Human error, whether malicious or unintentional.
- Transfer errors, including unintended alterations or data compromise during transfer from one device to another.
- Bugs, viruses/malware, hacking, and other cyber threats.
- Compromised hardware, such as a device or disk crash.
- Inheritance.
- Polymorphism.
- Abstraction.
- Encapsulation.
These are, Variables, Conditionals, Loops and Functions. I even argue that any problem-solving you want to perform programmatic-ally can be done using these four elements only. Variables are used to store data.
What are the 4 types of code? ›Coding Language Paradigms
Common styles are imperative, functional, logical, and object-oriented languages. Programmers can choose from these coding language paradigms to best-serve their needs for a specific project.
Code review practices fall into three main categories: pair programming, formal code review and lightweight code review.
How do you ask for code questions? ›- Understand the code to the best of your ability. ...
- Clearly describe the problem. ...
- Provide the code that illustrates the problem. ...
- Make sure the code you're sharing can reproduce the problem. ...
- Format your code consistently. ...
- Check yourself for typos. ...
- Explain what you did to troubleshoot the problem.
...
Computer Programming in 4 Steps
- Step 1: Identify the problem. ...
- Step 2: Find a solution. ...
- Step 3: Code it. ...
- Step 4: Test it.
The first Golden Rule of Code Reviews is simple: Review other people's code like you'd like your code to be reviewed. Code reviews should: Be kind– even if there's room for improvement, the message can be delivered with empathy. Be clear– make it easy for the reviewer to understand what you are saying.
What are the pillars of code review? ›There are many ways to approach it, but the pillars of code health – maintainability, security, automation, and insights – provide a great framework to think about the problem in your context and start building solutions.
What are the 3 main structures of coding? ›Surprisingly, it can often be broken down into three simple programming structures called sequences, selections, and loops. These come together to form the most basic instructions and algorithms for all types of software.
What are the 3 coding processes? ›
The three-step process described by Strauss and Corbin was used to code the data, starting with open codes, followed by axial codes, and ending with theoretical codes.
What makes effective code review? ›Good code reviews look at the change itself and how it fits into the codebase. They will look through the clarity of the title and description and “why” of the change. They cover the correctness of the code, test coverage, functionality changes, and confirm that they follow the coding guides and best practices.
Is code review a QA? ›Code Review is an essential step in the application development process. The QA code review process should include automation testing, detailed code review, and internal QA. Automation testing checks for syntax errors, code listing, etc. These tasks save time and effort when carried out by automated methods.
What is important in code review? ›Improves code quality–Code reviews improve code quality by detecting issues before they snowball out of control and ensuring consistent standards. This leads to robust software that is built from components for seamless integration and functionality.