Secure Code Review- Filling the Essential GAP in Software Security
The telecommunication industry has faced many changes in the last decade. By the end of 2009, nearly 70 % of the world population had access to mobiles. This Telco success is also attributed to widespread growth of web applications. Because of the business value these web applications deliver, make them attractive target for hackers to steal data, create denial of services, disrupt operations etc. The story is no different for other industry verticals as well. Other industries like Banking, Retail, Financial markets, Government, Insurance etc offer huge business value to make themselves attractive target for hacking.
Almost 70% of the overall attacks happen at the application level. To ensure Web application security, there are few best practices comprising threat modeling, secure design review, and secure code review, security testing (vulnerability assessment) and penetration testing. Let’s focus on Secure Code Review as topic of discussion and try to address few questions related to secure code review which business owners usually get stuck up with
Why do we need “Secure Code Review?”
Many serious security problems can be addressed just by having secure code review in place as a part of the secure software development life cycle. There are many security issues which cannot be identified effectively other than secure code review. E.g. CRLF/Audit attacking, Auditing/Logging, Denial of service, Resource management, Error handling issues cannot be addressed very effectively other than secure code review.
“Does having secure code review in place results in any cost savings?”
The answer is a Big YES. Security introduced late in the SDLC results in the much more extra cost used to fix the security defects. For security defects, late-stage costs are often much higher, because in addition to having to remediate the flaws, successful exploits may lead to data theft, denial of service, or other attacks resulting in brand reputation.
Can Manual code review serve as an effective way to find security vulnerabilities?
Many organizations are realizing the importance of secure code review and have started including code review in their SDLC. The automated tools need to be used to make the process faster. Static analysis tools used for secure code review look for a fixed set of patterns, or rules, in the code in a manner similar to virus checking programs. However, these tools cannot replace a human analyst. It will not be effective to review the code without functionality knowledge. The reviewer must be technically equipped to spot bugs and need to be smart to relate it to business function that the code implements. The Big question is the skills to tackle this scenario.
Need to have Skilled Resources; This is where the BUCK Stops
Building secure software is the responsibility of all the stakeholders involved within the SDLC. Organizations need to evolve toward developing a program that truly works for them. Therefore, there is strong need to have security skilled people.
Training is one part of making resources aware of security. There is a lot that need to be done to make a comprehensive security setup. The current environment needs to be changed. It’s not all about identifying, fixing and closing defects in every release. We need to map the identified security bugs to the requirement phase.
Resources who don’t understand security will take their own time to get groomed. The process should drive the need for security consultant in requirement stage. For this, we just need train one of the team members in security domain. It is preferred than putting a security trained resource person who has never worked in SDLC. Same rule applies to other stakeholders as well.
Secure Code review is one of the efficient ways of producing secure software. The inception of security in the early phases result in a better result and it proves cost effective as well. Our IT Industry need to have skilled security resources at all levels of SDLC to counter the growing threat across the web applications.
Profile: Shivi Arora is a distinguished Security analyst working Security Consulting Group. He has undertaken various vulnerability assessment assignments which involve Security Design/Code Review, and App Security Testing for leading multinational companies