Application Security Code Review

Virtual CISO Services ISO 27001

Application Security Code Review Information

An Application Security Code Review is the manual review of source code with the developers to identify source code-level issues that may enable an attacker to compromise an application, system, or business functionality. A Security Code Review (also known as a secure code review, application code review or application security review) is always focused on particularly high-risk areas of the code as they are manually intensive and expensive.

Key activities in an Application Security Code Review include:

  • Leveraging the Threat Assessment, System Security Plan, Vulnerability Assessment, or Automated Code Analysis to understand which portions of the code should be manually reviewed;
  • Performing Source code analysis leveraging a Static Application Security Testing (SAST) tool to analyze source code and/or compiled versions of code to rapidly identify potential security flaws in the application;
  • Conducting a security code walkthrough with the developers wherein the source code is peer reviewed with an emphasis on the construct and design logic responsible for achieving relevant security objectives; and,
  • Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.

The predominant benefits realized by a Security Code Review are:

  • Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents that could cost millions in lost revenue, fines, legal fees and reputational damage;
  • Educates developers on secure coding techniques and best practices; and
  • If integrated into the Software Development Life Cycle (SDLC), coding issues can be resolved earlier in the development process. This saves time, resources and money versus finding and fixing defects after the code has been released.

In short, there is no substitute for this kind of code review security process for high-risk applications or application components.
Even if you’ve integrated security testing throughout your development process, an Application Security Code Review can be essential, as it provides independent/objective verification that your application is optimally secured. In some industries, such as healthcare and payment processing, a security code review may even be mandated by compliance requirements.

Application Security Code Review: Best Used

  • For larger applications where specific code modules are integral to the achievement of critical security objectives and
  • As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical applications.

For high-risk applications, security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, or immediately following any reported security incidents.