Scribd
Upload
2 views

Secure Code Review

The document outlines the process of secure code review, emphasizing its importance in identifying security vulnerabilities in software source code. It details the skills required for effective code reviews, best practices, and key terminologies such as 'source', 'sink', and 'taint'. Additionally, it provides metrics for evaluating the impact of code review engagements and encourages continuous improvement through feedback and practice.

Uploaded by

devsectron
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
2 views

Secure Code Review

The document outlines the process of secure code review, emphasizing its importance in identifying security vulnerabilities in software source code. It details the skills required for effective code reviews, best practices, and key terminologies such as 'source', 'sink', and 'taint'. Additionally, it provides metrics for evaluating the impact of code review engagements and encourages continuous improvement through feedback and practice.

Uploaded by

devsectron
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

SECURE CODE REVIEW

A RT O F F I N D I N G V U L N E R A B I L I T I E S I N T H E A P P L I C AT I O N
SOURCE CODE!!!
SECURE CODE
REVIEW I S A P R O C E SS
USED TO IDENTIFY
POTENTIAL SECURITY
VULNERABILITIES IN
S O F T WA R E S O U R C E
CODE.
WHY CONDUCT CODE
REVIEWS?
 Detect and address security flaws at the code
level

 Check for coding standards violations

 Reduce code complexity

 Identify logic and architecture issues

 Identify hardcoded secrets and API keys leaks

 Reduce cost and effort of security practice


SKILLS NEED FOR CODE
REVIEW
 Understanding at least one object-oriented framework.

 Understanding structure of modern applications.

 Understanding applications settings.

 Familiar with deployment descriptor, such as web.xml and


web.config.

 Understanding business logic, and data flow.

 Familiar with OWASP, SANS and CVE’s.


BEST PRACTICES FOR CODE
REVIEWS
PROCESS FLOWS OF CODE REVIEW
PREREQUISITES FOR CODE REVIEW

• Access to the source code


• LOC (Lines of Code)
• Hardware Requirement for license tool installation
• Application walkthrough
• Authentication
• Authorization
• Data Validation
• Exception/Error Handling
• Logging
PERFORM
PRELIMINARY SCAN
BUT WHY USE TOOLS FOR
SOURCE CODE ANALYSIS?
Free Tools
Commercial
Tools

Source Code review Tool’s


KEY TERMINOLOGIES
FOR CODE REVIEW
• Source: The "source" refers to the location in
the code where malicious input was
introduced, such as using the
"request.getParameter()" method.
• Sink: The "sink" is the location in the code
where a vulnerability is exploited, such as
where XSS alerts are reflected.
• Taint: "Taint" refers to malicious data provided
by the user.
• Taint propagator: The "taint propagator"
function takes malicious data as input and then
passes it out without any validation.
LET’S ANALYZE THE CODE
FINAL TIPS & TAKEAWAYS

Consistent rehearsal Seek feedback


Strengthen your familiarity
Reflect on performance

Refine delivery style Explore new techniques


Pacing, tone, and emphasis
Set personal goals

Timing and transitions Iterate and adapt


Aim for seamless, professional delivery

Practice audience
Enlist colleagues to listen & provide feedback
SPEAKING ENGAGEMENT METRICS

IMPACT FACTOR MEASUREMENT TARGET ACHIEVED

Audience interaction Percentage (%) 85 88

Knowledge retention Percentage (%) 75 80

Post-presentation surveys Average rating 4.2 4.5

Referral rate Percentage (%) 10 12

Collaboration opportunities # of opportunities 8 10


THANK YOU

Brita Tamm
502-555-0152
[email protected]
www.firstupconsultants.com

You might also like