Code reviews are hard to do well. Particularly when youβre not entirely sure about the errors you should be looking for! The DevSecOps approach pushes security testing left so that vulnerabilities can be found and fixed earlier, in the design, development, or CI/CD stages of the workflow. Itβs always a good idea to check for security issues in code that you review. In case you donβt know what to look for, check out this series to give you pointers for your next code reviews!
Who reviews your code?
After you have written your code who is actually reviewing it. Do you ask the new Junior in your team because that person has is available? The goal of a review, in general, is to help spot any mistakes made during the development process. And in this case, prevent security issues.
Be aware, when reviewing code to understand that all code isnβt written equal! Think also about what lies behind the code that youβre reviewing and thus the data and assets you are trying to protect. This working knowledge is something that isnβt easy to add to a checklist. Using your domain knowledge will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks.
In addition, when appointing a reviewer make sure that this person has the appropriate knowledge to review the code. When code that has a higher security risk needs to be reviewed, ensure that someone with security knowledge (also) looked at it. Appointing this task to the new junior in your team alone does not by default make your code more secure.
A great way of determining where the highest risk areas exist is by creating attack trees that will show you where to focus your efforts first/most.
Review time
Creating the code takes a certain amount of time. The same should apply for a thorough review. However, in many cases, the time for reviewing code is just a very small percentage compared to the creation. Understanding code someone else wrote and trying to spot security issues is hard and is definitely time-consuming. Rushing through this does not help to spot potential security issues.
Want to know more
Check the complete Secure code review cheat sheet
Top comments (0)