Most tasks in a skilled role require some degree of knowledge and experience and performing a secure code review is no different. So what knowledge and experience should you have for a secure code review?
Firstly and most importantly, a knowledge of the type of vulnerabilities you're likely to encounter is a must. For a web application, the bare minimum is a good knowledge of the OWASP top 10. This arms the code reviewer with knowledge of what vulnerabilities look like and helps them to start to see what vulnerable code looks like.
Experience applying knowledge of vulnerabilities is clearly important and that can be gained both from practising good defence and practising attack.
Practising defence takes the form of actively thinking about security when writing code. This can be thinking about a feature's security before you start writing it, or even performing security reviews of your own code before it gets reviewed by someone else. It can also be writing unit and integration security tests, as this requires you know both the attack and the defence before you can correctly write the tests
Practice attacking vulnerable software is great experience and helps you to understand how vulnerabilities can be attacked. Experience performing an attack is much more useful than just reading about it. Examples of practice include OWASP Security Shepherd, and OWASP Juice Shop, both of which are completely free.
A code reviewer should be familiar with the language(s) being used to perform an effective review of the code's security. Without experience with the language it would be very time consuming to understand where vulnerabilities lie and where existing frameworks are already taking care of vulnerabilities. For example a lot of standard web controls in .Net perform their own encoding to protect from things like XSS.
A code reviewer should be familiar with the existing code base too. When performing any code review it is important to talk the original developer(s) to understand the code and security that should be there, but it's also important to have some background into the existing security stance of the product. There may be security related bugs to take into account or outstanding security features on the backlog which will impact how you see the code you look at.
A useful tool to assist with secure code reviews is static code analysis. This is a type of tool that analyses your code and tell you where it thinks you've made common errors. It can pick up a lot of things that a person might miss, even during a code review, so it's useful to use alongside manual code reviews. This can also be extremely useful to improve your existing skills, because by looking at the issues it shows you, you get a better understanding of common mistakes and how they can be fixed.
A good example of a static code analysis tool is .Net's FxCop.
If you haven’t yet got the knowledge or experience, a great place to start is with Troy Hunt’s Pluralsight course on the OWASP Top 10
Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.