SECURE CODE REVIEWS
Get ready for eBiz Kingdom / Digital Warfare. The only cybersecurity firm able to assess with real world methods and exploits from underground, dark web and government toolkits, all by former intelligence operatives.
SECURE CODE REVIEWS
For many companies who develop software, throughput is always a critical metric. Directors, managers, and project leads constantly focus on the speed at which they are moving forward. Truth be told, they have to maintain this focus. If new code and applications are not being released on a regular basis, often the company’s bottom line is negatively affected. Thus, they charge forward developing, testing, and releasing software that is functional and visually appealing to the customer. During testing, they look for any bug, glitch, or error that may negatively affect one of those key areas. Does it impact usage by the customer? Does it impact the appearance of the application? Notice, no mention of secure code review.
The line of questioning rarely asked during the testing process is: How secure is this code? Are there any vulnerabilities or risks being introduced to our systems or data? Is this code manageable long-term? The reason, because these questions and their answers rarely have a negative impact on user functionality and appearance, and almost always impact throughput. So why then are they important? Why is secure code review necessary if it appears to only negatively affect the process? The answer, a company may one day regret it and quite literally lose everything if the questions are not asked.
A secure code review according to OWASP is “… the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment. Secure code review is a method of assuring secure application developers are following secure development techniques.”. This testing can and should include a combination of both manual and automated testing. This will help increase both efficiency and the likelihood of vulnerabilities being discovered. This is not, nor should it ever be, a method for pointing blame. This is a process to reduce corporate liability and identify additional developer training needs.
Any and all software has some degree of vulnerabilities and risks due to the inherent complexities of modern day software. Proper organizational security must be a layered process comprised of every part of process from development, to testing, to release, to hosting, and maintenance.
A manual secure code review is the process of someone, typically with a security background and who is not the original developer, reading through each line of code in context searching for vulnerabilities and potential dangers. This can obviously be very time consuming and can even seem like an insurmountable task. However, if code is properly maintained within a source code repository with change tracking, after the initial full review, it is often possible for the differentials to be the only section of code needing to me manually reviewed on a regular basis. That being said, it is still good practice to schedule a complete manual review on some degree of a regular basis.
Manual code reviews are often best performed by 3rd party entities. This is the case for two primary reasons. One, 3rd party resources offer an external perspective and are likely to find and identify issues that have been glanced over and not recognized by internal personnel who have seen and reviewed the code so frequently. Secondly, 3rd party entities are not going to be concerned about hurting feelings or company politics, yet they are still capable of developing and releasing a complete report. Internal auditors often have to carefully navigate corporate politics so as to not ruin relationship and interfere with bottom line metrics.
According to MITRE, proper secure code reviews are comprised of interviews, code reviews, and report delivery. Interviews are a critical initial stage of the process where questions are asked of the developers. These questions and answers are used to ascertain the intent of the developer and their application, the overall knowledge and skill level of the developer, and their awareness of secure coding practices. Often, the answers provided during the interview segment will help shape the code review stage, making it more effective and more efficient.
The Code Review stage is literally that; it is the process of an individual or team of individuals manually reviewing the entirety of an application’s code, reviewing each line, function, and class in context and process flow to search for vulnerabilities – either direct or inherited. Finally, the reporting stage is crucial. During this stage, the code auditors must pull together the data from the interviews and findings from the code review into a clear and succinct document that identifies the issues, risks, and vulnerabilities discovered in a professional manner. This document must be understandable to a variety of people, often from the CIO/CEO down to the developers themselves. Thus, it is often best practice to include an executive overview followed by the detailed findings and proofs. This allows companies to begin taking action with the findings immediately.
Development and applications will always have defects and vulnerabilities. As mentioned, it is the reality of today’s world due to the complexity of modern day software. However, your company should be striving to constantly review, revise, and maintain its code using best security practices, including Secure Code Review, in order to minimize your risk and overall liability. Frequently, litigation takes place based around and impacting companies that were not performing minimal due-diligence to ensure the safety of their customers and data.