The basics of security code review
With staffing ratios often more than 200 developers for every AppSec professional, scaling security requires increasing the developer’s engagement in securing the product. To do that, developers must be responsible for the security of the code they write. Performing source code reviews to identify and remediate security risks before an application is moved into production is undoubtedly one of the best ways to ensure software quality – though this is much easier said than done.
Finding and fixing bugs in code
Developers already spend countless hours finding and fixing bugs in code. A recent survey found that 32% of developers spend up to 10 hours a week fixing bugs, while 16% spend up to 15 hours a week, and 6% dedicate up to 20 hours a week fixing bugs instead of producing new code.
Another considerable factor in this equation is open-source code. Today, 99% of codebases contain at least one open-source component, and 91% contain components that are either more than four years out of date or have not seen development activity in the last two years. It seems a near-impossible task in today’s digital world to not use some form of open-source code when developing software, yet efforts for securing it are still in the “wild west” phase.
What are the best tactics for performing security code review?
1. Know what to look for
First determine the most common vulnerabilities for the type of application you’re working with. Familiarize yourself with markers of specific vulnerabilities so that you can identify source code patterns as you come across them. However, be mindful that while vulnerabilities have common patterns, they vary in different contexts, so be aware of programming languages, frameworks, and libraries to ensure you can spot vulnerabilities more accurately.
2. Understand the fundamentals
In code analysis, “sources” refer to a code component that allows for a vulnerability, and “sinks” represent the places where the vulnerabilities occur. For example, with command injection vulnerabilities, the “source” is usually a function that takes user input, and the “sink” is a function that executes a system command. If user input can move from a source to a sink without validation, a command injection vulnerability happens.
Tracking the data flow from sources to sinks is a common way to identify vulnerabilities. Tracking data flow rather than relying solely on pattern matching helps static analysis tools drastically reduce the number of false positives in scan reports because the tool cannot report potential vulnerabilities that are not “reachable” by malicious input. Following this method is also beneficial in classifying open-source vulnerabilities. Tracking an untrusted input to an open-source vulnerability can indicate which vulnerabilities are exploitable.
3. Dive into a manual review
First and foremost, when performing a manual review, ensure your application is using secure settings according to best practices.
To gather a quick understanding of the landscape, you can search by strings, keywords, and code patterns that typically indicate the presence of a vulnerability or misconfiguration. It is also important to repeat the same search across git history.
To expand upon a quick initial search, focus on areas of code that deal with user input, which can provide entry points for attackers to exploit the application’s vulnerabilities. These include HTTP request parameters, HTTP headers, HTTP request paths, database entries, file reads, and file uploads.
Home in on the areas of critical control functions to see if they can be bypassed, as well as how user and business data is being transported and stored. Furthermore, scan for configuration issues specific to your application.
4. Find the right tools
Manual code review is tedious and time-consuming. Using tools like Software Composition Analysis (SCA) or Static Analysis Security Testing (SAST) can automate this process and help developers and security teams find and remediate security issues faster and more efficiently.
SAST tools identify vulnerable patterns automatically, opening more time for analyzing the impact and severity of a vulnerability.
The best way to find open-source vulnerabilities is with SCA. SCA tools scan for discovered vulnerabilities by examining the open-source components within an application then comparing them to scans of public or private databases of known vulnerabilities associated with the application’s dependencies.
Developers often shy away from security tools in fear that they will delay their work, or shine light on errors in their work. However, implementing secure practices and using security tools are crucial for every business creating software. While scanning tools are not a silver bullet solution, the best way to build secure and quality software is to use tools to find vulnerabilities and conduct manual code reviews to validate them all while the code is fresh in the mind of the developer.