It is difficult to undertake a good code review. Especially if you are not clear what kinds of faults, you should be looking for! Security testing is pushed to the left in the DevOps strategy so that vulnerabilities can be discover and resolve earlier, in the design, development, or CI/CD stages of the workflow. Checking for security problems in the code that you review is always a smart practice. Here is a simple checklist to help you with your next code review if you are not sure what to look for.
When evaluating code, keep in mind that not every code is written the same way. Consider what is behind the code you are looking at, as well as the data and assets you are trying to protect. This practical knowledge is difficult to incorporate into a checklist. Using the idea in the cheat sheet in conjunction with your domain knowledge, however, can help you determine where you should spend more effort and where you might expect to predict heightened risk and various types of attacks. Note that establishing attack trees, which will show you where to focus your efforts first/most, is a wonderful approach to figure out where your most risk locations are.
So, let’s get started with our 5 Best Practices for the best Secure code Review
All input should be sanitized and validated
Modern web apps must deal with a variety of third-party data. Although for example, direct input from a user in the browser is an apparent example. As developers, we all know that when a user has the ability to do so, they will do so. It is a basic best practise to ensure that direct input from users is verified and sanitised adequately to ensure that applications are not exposed to content injection. Direct user feedback, on the other hand, is by no means the sole factor to consider.
Any input that enters your system from the outside should be scrutinize and treated as potentially hazardous. Consider the following:
- Files
- Feeds of Data
- cookies
- Event- an event-driven system like working with platforms like Service Functions in close cooperation
- Other system data responses
In addition, the input that appears at first sight under your control could be destructive. Think about it – if a bad user can connect directly to your database, a backdoor can be inserted into your system to introduce harmful malware, for example. The same rule applies:
- Data storage
- system attributes
- Parameters of command-line
- Variables of environment
All data should be verified and sanitized, even the information that seems to be controlled you. See if the input is relevant, you can help a lot with the type of system in a safe language. Furthermore, the size, range size, file type, name of the file, and nothing will be taken for granted. Before it is anywhere save or utilize the user input should be disinfect, preferably via a well-maintained library.
Don’t save secrets as code or configuration
Because we are only testing it to makes sure it works, it is all too simple to save credentials, tokens, or other secrets as variables or constants. However, this code might easily find its way into your code repository if you forget to remove it. We strongly advise you to double-check the code you are looking at for any sensitive information.
If you are using a Git-based code repository, a number of major tools are available to guarantee you do not attempt to push any passwords or sensitive information onto your repo, like Git secrets, and you may statically examine all pushes via a pre-comprised Git Hook. Commits are refused if the tool matches any set regular expression patterns that indicate that sensitive data is stored incorrectly. It may slow down a little bit, but it does valuable.
The credentials are kept as code with team rules that prohibit inappropriate activities from being saved in the existing developer process. Use technologies like Vault in your production to assist manage your secrets. Finally, consider adopting a toolchain for identity and user management, like Key cloak, which a number of engineers in Red Hat are presently maintaining and others are working on.
There are numerous strategies to avoid placing credentials in your repository first and best if you have tried to implement as many as possible; nevertheless, some sensitive information is always possible. It is not necessary to do this. You should also routinely audit your rest, utilize tools such as GitHub or truffle hog that crawl through your source, and look through pattern matching for sensitive information.
Examine new security vulnerabilities produced by open-source dependencies from third parties
Third-party libraries are heavily used in modern web applications development we have easy access to publically available libraries and frameworks by using package managers like npm, Maven, Cradle PyPI, or any comparable. As developers, we want to concentrate on specific business logic rather than boilerplate code, so relying on frameworks and libraries to do the heavy lifting is a natural choice.
You do not know how much direct dependency your program needs there is a good probability. The quantity of your code can be as low as 1 percent in the case of an average project – all other libraries and frameworks are imported. Many of the code placed in production is simply not ours, but we are significantly dependent on it. You are probably also not aware of the number of transitional addictions your application employs. Today, larger frames depend on other libraries, which also rely on other libraries. By using one library or framework, you can bring in at least a dozen additional libraries and/or frameworks, which you do not always know.
In this method, the majority of your total application is dependent. Attackers are increasingly targeting open source dependencies, as their reuse offers a malevolent victim. It is also crucial to guarantee that in the entire dependency tree of your application there are no known vulnerabilities.
Pursue the principle of least privilege
Authorization is provided as well as authentication. They sound like that, but they are different. As we have seen in point 4, authentication demonstrates that the user or service is really who it is, whereas authorization goes beyond this to verify that the person or service can carry out any activity or action. We know that we need to inspect it and guarantee that users, services, or processes are or are in a position to perform this. However, it is often too easy to access from a coding point of view as is truly necessary.
According to the least privilege idea, each module (e.g., process, user, or programme, depending on the subject) should only have access to information and resources that are necessary for its lawful purpose. Allow individuals or processes to fulfil their goals with the bare minimum of access and permissions.
Writing particular automatic unit and integration tests that not only test the happy path but also, more crucially, test the unpleasant security-related scenarios is a wonderful method to test for this. These tests should be able to authenticate, but they will attempt to conduct actions that they are not authorized to perform. When changing the roles your application runs under or introducing new resources. That require you to be in a specific role to do these tests should always be introduce.
Test your source code statically and automatically
For developers, static code analysis is a highly useful tool. Static Application Security Testing (SAST) tools are a security-focused subset of these technologies. A SAST tool will detect if a security-related bug has crept into the code you and your team developed by looking at it statically. SAST tools, such as Snyk Code, can detect issues like SQL injections and code vulnerabilities.
We advise a SAST over a safety linter. Although linters may be quite beneficial when analyzing the static code (bugs, errors, etc.), they produce many false-positive elements. As all linters are rule-based and do not look at the whole context of your code, linters will mark your code as a bug or as a security issue in a bunch of circumstances. Nonetheless, the linter can avoid terrible blunders if you adjust the ruleset. The ideal means is to maximize the automation of these procedures. For example, if a new pull request is sent to your repository as part of your build process. All this is done using Snyk Code and SAST capabilities are included in the workflows.
If you do not already have a SAST tool, you can utilize it during manual code reviews or, even better; automate it in your workflow so people can identify obvious flaws sooner.