Code reviews are hard to do well. Particularly when youโre not entirely sure about the errors you should be looking for! The DevSecOps approach pushes security testing left so that vulnerabilities can be found and fixed earlier, in the design, development, or CI/CD stages of the workflow. Itโs always a good idea to check for security issues in code that you review. In case you donโt know what to look for, check out this series to give you pointers for your next code reviews!
Enforce secure authentication
Authentication verifies that a user, service, or entity (internal or external) is who they say they are. This could be as simple as a user passing you their credentials, or a server providing you with its TLS certificate to validate it is indeed the server it claims to be. Authentication doesnโt tell you what the user or service is allowed to do, but rather that they are indeed that user or service. Letโs cover a few authentication best practices you should make note of:
Assume theyโre not who they say they are.
You should work under the principle that theyโre not who they say they are until they have provided the credentials to prove it. Assuming the user or service shouldnโt have access to your data is, of course, the safest way of behaving. Make sure your code reflects that.
Enforce password complexity
In the case of users, consider being more lenient, in terms of the usernames, particularly when using email addresses. For instance, thereโs little value in distinguishing between Patch@snyk.io and patch@snyk.io, whereas itโs important to enforce password complexity (at least 1 uppercase character, 1 lowercase character (a-z), 1 digit (0-9) and 1 special character) and length (NIST SP800-132). I understand, itโs difficult to remember all those random โ or not, long, and complicated passwords. But, come on! Itโs the year 2020 and password managers are here to save you!
Re-authenticate before sensitive operations
Asking users for their credentials โ before transferring monies, or performing sensitive actions โ mitigates potential Cross-Site request forgery (CSRF) and session hijacking attacks. An attacker might perform these sensitive tasks without ever having provided the userโs credentials. This security measure, while inconvenient to your users, can protect them in long term.
TLS client authentication
TLS Client Authentication, also known as two-way TLS authentication, requires both the browser and server to authenticate, each sending their TLS certificates in a TLS handshake. This is achieved by a user or service obtaining a client certificate from the server and providing it on subsequent interactions. The user may need to install the certificate if using a browser.
Want to know more
Check the complete Secure code review cheat sheet
Top comments (0)