Application Security Code Review
Application Security Code Review Information
An Application Security Code Review is the manual review of source code with the developers to identify source code-level issues that may enable an attacker to compromise an application, system, or business functionality. Security Code Reviews are always focused on particularly high-risk areas of the code as they are manually intensive and expensive.
Key activities include:
- Leveraging the Threat Assessment, System Security Plan, Vulnerability Assessment, or Automated Code Analysis to understand which portions of the code should be manually reviewed;
- Conducting a security code walkthrough with the developers wherein the source code is peer reviewed with an emphasis on the construct and design logic responsible for achieving relevant security objectives; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by a Security Code Review are:
- Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents;
- Educates developers on secure coding techniques and best practices; and
- If integrated into the Software Development Life Cycle (SDLC), coding issues can be resolved earlier in the development process.
Application Security Code Review: Best Used
- For larger applications where specific code modules are integral to the achievement of critical security objectives and
- As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical applications.
For high-risk applications, security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, or immediately following any reported security incidents.