ID: I202512111148 Status: idea Tags: Security

Secure Code Review

What is Secure Code Review?

Secure Code Review is manual examination of source code to find security vulnerabilities that automated tools miss. It focuses on application logic, data flow, and implementation details using human expertise and contextual understanding.

This complements automated tools like SAST and DAST by catching business logic issues, complex security implementations, and context-specific vulnerabilities that automation can’t detect.

Review Types

Baseline Reviews examine your entire codebase comprehensively. Use these for new applications, major releases, legacy system onboarding, compliance requirements, or post-incident analysis.

Diff-Based Reviews focus only on code changes. Use these in your daily workflow for pull requests, commits, feature completion, and continuous security validation.

Review Methodology

Start by understanding your application architecture, business requirements, threat models, and previous security findings. Identify critical assets and high-risk functions early.

For baseline reviews, you’ll need to map all application boundaries, analyze the overall security architecture, and review your incident history. For diff-based reviews, identify what files changed, assess the impact on security controls, and prioritize high-risk modifications.

The actual review process starts with architecture review, then moves to entry point analysis and input validation. After that, verify authentication and authorization, trace data flow through the system, analyze business logic, review cryptographic implementations, check error handling, and finally review configuration and deployment.

Common Vulnerability Patterns

You’ll encounter Input Validation issues where server-side validation is missing or sanitization is improper. Injection vulnerabilities show up as SQL injection, XSS, path traversal, command injection, or NoSQL injection.

Authentication & Session Management problems include weak token generation and improper session invalidation. Access Control vulnerabilities manifest as missing authorization checks and privilege escalation. Deserialization issues involve unsafe object handling and XXE attacks. Finally, Cryptographic problems come from weak algorithms and poor key management.

Review Techniques

Code Pattern Analysis helps you focus on the dangerous stuff. Look at input processing and validation, database query construction, file operations, authentication and session logic, authorization checks, cryptographic operations, and error handling.

Data Flow Analysis traces data as it moves through your application. Start by identifying where data comes in—user inputs, API calls, database reads. Follow where it gets processed through validation, transformation, and business logic. Check where it exits through database queries, file writes, or output. Make sure trust boundaries have proper security controls.

Threat-Based Review aligns your review with actual attack patterns. Use OWASP Top 10, apply the STRIDE model, map attack trees, and consider abuse cases.

Business Logic Review analyzes workflows for state management issues, race conditions, transaction integrity, resource limits, and authorization at each step.

What To Actually Check

NOTE: Critical areas to verify during code review

When reviewing input validation, ensure server-side validation is always enforced, allowlists are used instead of blocklists, output is encoded for the right context (HTML, JavaScript, CSS, URL, SQL), file uploads validate by content, SQL injection prevention uses parameterized queries, input lengths are limited, and special characters are handled.

For authentication and session management, verify password hashing uses strong algorithms with salt, account lockout has appropriate thresholds, session tokens have at least 128 bits of entropy, sessions properly invalidate on logout, sensitive operations require re-authentication, and TLS is properly configured.

Authorization checks should be enforced server-side with a fail-safe deny-by-default policy. Prevent IDOR attacks, protect function-level access, validate role assignments, prevent privilege escalation, centralize access control logic, and always check authorization after authentication.

Cryptography should use modern algorithms like AES-256 and RSA-2048+. Keys need proper management and rotation. Certificates must validate with hostname verification. Random generation must be cryptographically secure. Encrypt both at rest and in transit with unique, unpredictable IVs/Nonces.

Business logic needs workflow integrity with state validation, race condition prevention, atomic transactions with rollback, resource limits and rate limiting, and enforcement of business rules even when accessed directly via API.

Configuration should have secure defaults, separate environments, no hardcoded secrets, graceful error handling, logging without sensitive data, proper security headers, strong TLS configuration, and up-to-date dependencies.

Security monitoring requires logging of authentication failures and authorization violations, complete audit trails, real-time alerts for critical events, protected logs, and incident response procedures.

Tools and Techniques

Use code editors with security extensions like VS Code with ESLint and SonarLint, or IntelliJ IDEA with SpotBugs.

For command-line pattern detection, search for hardcoded secrets, unsafe functions, and potential injections:

grep -ri "password\s*=\|api_key\s*=" source/
grep -r "eval(\|exec(\|innerHTML" source/
grep -r "SELECT.*+\|executeQuery" source/

Manual review excels where automation fails. Business logic flaws, context-specific vulnerabilities, complex authorization logic, race conditions, cryptographic misuse, and architectural security issues all require human judgment.

Integrate automated tools by using SAST and SCA findings to prioritize what manual reviewers focus on. Run automated tools before manual review to catch obvious issues, then use the findings to guide deeper investigation. Apply human judgment to validate automated findings and focus manual effort on areas tools can’t effectively analyze.

Integration with SDLC

Baseline Reviews happen at project initiation, major releases, architecture changes, compliance cycles, post-incident analysis, and when onboarding legacy systems.

Diff-Based Reviews fit into pull requests, pre-commit hooks, feature completion, sprint reviews, hotfix reviews, and CI/CD integration.

You can combine both approaches with risk-based scheduling, gradually expanding baseline coverage over time, and escalating to baseline reviews when diff-based reviews find significant concerns.

Advanced Techniques

Race Condition Analysis focuses on TOCTOU (Time-of-Check vs Time-of-Use) vulnerabilities and ensures operations are atomic.

Business Logic Analysis examines state transitions, opportunities to bypass steps, proper validation at each workflow step, rollback mechanisms, behavior under concurrent access, and boundary conditions.

Security Architecture Review verifies consistent security enforcement and proper API controls across the system.

Memory Safety checks buffer management, integer overflow protection, and resource limits.

---

References

ik moest dit artikel lezen als voorbereiding voor deze les, ik heb hem niet gelezen, ik heb de bovenstaande samenvatting gegenereerd omdat ik geen tijd meer had.