Source code review: your company’s security first.
Source code review is a tool that can really save you from a lot of things, read on and find out the benefits it has for your company.
If we review many of the statistics on cybersecurity that we get on the Internet, we can realize that many of the attacks are aimed at web applications. So, when your company suffers an attack; the most common thing to do is to hire a person specialized in computer security; this person will be in charge of performing some actions to determine the cause of the attack. One of these actions is the source code review.
Let’s see what it is about…
Source code review, a quick definition.
This is the analysis or examination of the source code of an application, in order to identify any possible errors that may have been overlooked at the time of the initial development of the application. The process in which it is performed is as follows: first a qualified manager applies a code analyzer, which scans line by line each application code; after analyzed and having found vulnerabilities, the pentester is responsible for reviewing them manually using penetration testing; finally they move on to eliminate these vulnerabilities that may involve a risk.
Normally this technique varies depending on the programming language, the size and the number of functions of the application; therefore, this analysis can vary in the estimated time to be performed. It can also vary the person who performs it; whether you have a team or you hire a specialized person to perform this task.
Other ways to perform source code review
- Pass-Around: this is code review using e-mail. In this method, a developer emails a series of changes to the entire development team; sometimes through release management systems that modify notifications. This email initiates communication about the changes, where team members will request further changes, denounce bugs, or invite clarifications. In the past, email was the first suggestion for communication because of its proficiency; open source organizations are accustomed to maintaining a public list, which also serves as a method to discuss and provide feedback on code. With the advent of code review tools, these mailing lists continue to exist; but primarily for communication and discussion.
- Over-the-shoulder code reviews: Code reviews take place on the developer’s digital computer; where a former team member reviews new code, providing suggestions through discourse; this is often the simplest approach to code reviews and does not need a predefined structure. This code review is still done informally today, alongside a proper code review method that is performed on-site.
- Pair programming: this is based on a continuous process in which two programmers meet at the same work site, but only one of the developers is actively programming; on the other hand, the remaining programmer gives real-time indications about the important information of the work they are doing. This is often inefficient due to the time required, since the developer reviewing the information takes up time that could be spent on other operations.
What can we find when performing a source code review?
The main reasons to perform these reviews, is that we can find several vulnerabilities that could be of risk for our companies; some examples can be:
- Coding errors: these are weak coding algorithms, as well as robust coding algorithms with weak implementation, e.g. insecure key storage.
- All cases of SQL injections, XSS (cross-site scripting) vulnerabilities.
- Buffer overflows: more knowledge is placed in the buffer than it can handle.
- Race conditions: performing 2 or more operations at the same time.
In addition, if penetration testing allows a vulnerable online page to be recognized, reviewing ASCII text files allows pentesters to look for vulnerabilities at the base level. This saves a pentester’s time and a client’s money.
What are the advantages of this process?
Greater attention to best practices; this is because the knowledge that the developer has about his code will be put to the test, he will be focused on solving all the characteristics of his application, being this a motivation to his own guild and oriented towards maintaining these same good practices in the future. Another advantage is that it is a good way to detect “bugs” or errors that the application may present and that have not been taken into account before.
In the same way; it improves the knowledge among the members of the project. By sharing the information found, in addition to providing the solution to certain vulnerabilities found, everyone’s participation is encouraged and knowledge is increased; in this way, the team expands its information about the code and speeds up future processes.
What tools can be used?
There are a large number of tools that can be used to speed up the code review process; some of the most commonly used are:
- GitHub: has a code review tool built into its pull requests. The code review tool is included in the main GitHub service, which offers a free setup for developers.
- Review Board: is a web-based open source code review tool.
- Phabricator: also consists of a code review tool; however it also works for reviewing design documents.
- CodeScene: this is a slightly different code review tool, as it not only works for code review, but also performs behavioral code analysis, as well as temporal reviews for sustained code review over time.
With this information we hope to remind you of the importance of certain processes that we sometimes overlook or think will not be beneficial to our company; but remember that anything that can help us improve the performance or security of components of our company is a worthwhile endeavor. If you don’t know where to start, you can contact the Demyo Inc. team; here you will find a wide variety of solutions to improve the security of your company.