Creating secure code takes effort. Secure code reviews are an important part of that effort.
What do I mean by an Agile secure code review? – here I’m talking about reviewing a feature that has been developed for software or a service. We’re not talking huge amounts of code and we’re certainly not talking about reviewing an entire products code base (a dauntless task). By reviewing the code for a feature we’re looking at how that feature works and how it interacts with the rest of the product. This also fits in well with working in an Agile manner, focusing on small pieces, if the focus is wider, encompassing large amounts of code, then our tiny minds can’t handle it, we’ll miss things.
There are about a million things you could think about in a regular code review and trying to focus on everything at once is impossible. That’s why a secure code review focuses specifically on security, it means the reviewer doesn’t need to focus on anything else, and that’s the true meaning of focus.
I'm a firm believer in consciously putting on a different 'hat' to perform different aspects of the job.
When I say 'hat', I don't of course mean a real hat, although maybe that could work; maybe it would get you lots of funny looks; maybe the funny looks would be worth the results.
This is actively shifting my mindset from one area of focus to another, instead of simply believing I can act on all of those areas at the same time. That's not possible.
Once you've got your security hat on, there are a number of subjects under the umbrella of security and we can’t focus on them all at once, so this article contains a number of areas to look at.
I plan to create separate blog posts for each of these points and they may change as I go along. All input is welcome!
- Who Can perform a Secure Code Review?
- When should you perform a Secure Code Review?
- Why do we perform Secure Code Reviews?
- Secure Code Review approach
- Reviewing for confidentiality
- Reviewing for Integrity
- Reviewing for Availability
- Reviewing for Auditing / Logging
- Reviewing for Authorisation / Authentication
Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.