Do I need to do a source code review?

Writing code is the foundation of building an application. Think Mark Zuckerberg and his army of developers in the movie on Facebook. The smallest missteps could cause glitches at the functional level, and affect the app’s performance.

However, very often the security aspect is either compromised or brushed aside while coding. Loopholes in your code could offer easy access for viruses and malicious attackers to enter the system, compromise data, and affect the availability or performance of the application. 

Security audits for applications can be either Dynamic Analysis Security Testing (DAST) or Static Application Security Testing (SAST). Both are complementary approaches, deployed at different times in the software development lifecycle and identifying different vulnerabilities. DAST, also known as blackbox testing identifies vulnerabilities while an application is running. SAST is deployed during the development phase or in DevSecOps, making it easy for developers to identify and fix issues as they are coding. Performing a source code security analysis, or source code review helps identify vulnerabilities early in the software testing lifecycle. 

What is source code review in the context of cyber security?

A secure code review is a line-by-line analysis of the source code of an application, usually performed to find any security-related errors overlooked during the development phase. These security vulnerabilities may have bypassed penetration testing. This systematic examination can be either automatic or a manual process that identifies hidden security vulnerabilities and loopholes, and verifies if security checks have been implemented.  

source code review

Source code reviews not only involve security but also look into the aspects of performance, functional level issues, etc. Besides during the development phase, many organisations are also implementing this nowadays to fulfill security regulatory or compliance requirements. 

Insights into secure coding with a security vendor

Whenever there is a security requirement, there are two possibilities – performing it internally or handing it over to an external security vendor who does an independent analysis to identify gaps

Engaging a third-party security expert has advantages for organisations. An external view on vulnerabilities can be compared with the results of their internal security teams to gain deeper insights into manual errors and programming mistakes by different teams. Security experts are up to date with the topical security issues in a particular programming stack or that are predominant or trending in the industry. Additionally, smaller organizations need not invest in resources, training, and tools as they can rely on the services and industry knowledge of an expert. 

At Entersoft, we recommend external source code reviews if:

  • You operate a very sensitive business and deal with critical areas
  • You have to pass some compliance or regulatory requirements, where a third-party source code review is mandatory

Security best practices involve adhering to security standards internally, having security toolsets, doing peer-to-peer code reviews (a person doing a code review on a fellow employee’s source code to identify weaknesses or flaws). This will help the organisation build secure applications and better products – not only in terms of functionality but also on the security side of things.

Identify vulnerabilities early with SAST

When you are trying to build a product, it has to pass through several stages in the Software Testing Life Cycle (STLC) – the design phase, implementation phase followed by thorough testing before releasing it to production. 

When the product is in the development stage, developers make use of toolsets embedded right into their development platforms. For instance, IDEs (integrated development environments) such as Visual Studio, Android Studio, Net Beans, Eclipse have a specific interface for developers to code, develop an application and build the system. These IDEs come with security plugins or extension integrations. Developers can include these to identify any security vulnerabilities and source code level issues. They give alerts to development teams so that they are not writing bad code right from the start. This ensures bugs are addressed early during development as this becomes more expensive to identify and fix during production. 

Security standards followed during secure code review – the baseline

Security standards that are used as part of SAST are defined by the Open Web Application Security Project or OWASP, the globally recognized benchmark for the security of software. OWASP publishes secure coding guidelines and best practices that can help avoid any security issues. Security, in general, is defined by OWASP, but for every programming language, there is a specific entity involved that defines its own security standards. Enterprises developing programming stacks also share secure coding practices. Microsoft provides coding standards for .NET and Google for Android. For programming languages such as Java, PHP, and C, C++, CERT maintains these standards. Apple defines security standards for Objective-C or Swift. 

Certifications required to do source code analysis

To perform SAST, the minimum level of certification expected is Certified Ethical Hacker or CEH. While a CEH is purely for dynamic testing, insisting that a developer/code reviewer has this skillset comes with advantages. CEH profiles are trained to understand security in a thorough manner – right from the network level up to applications and deployment. So, they can easily identify all the loopholes and vulnerabilities possible which could be exploited by a hacker. Certified Ethical Hackers are also adept and up to date with all the security standards like OWASP and other security guidelines. 

EC Council and SANS Institute offer programming-based certifications as professional secure code developers. Once certified, developers can build better, more secure systems. In the case of enterprises, at least one team member should be certified in secure coding – a SANS-certified profile. In the case of SMEs, they can opt for workshops and live training sessions. This will help them understand security best practices and vulnerabilities in the programming stack of their choice. They can implement this for products within the organization.

When should enterprises opt for source code review or SAST?

A good practice is to review and plan for security requirements for an application during the requirement-gathering phase of the STLC. There is a better chance of establishing strong security controls if product documentation detailing the security guidelines and best practices is shared with development teams. To verify that these controls are up to the mark, there should be one person to ensure coding implementation is done in the right manner. This is the general practice recommended for any organisation. 

Sometimes, security-related vulnerabilities or challenges impose time constraints or barriers to a product release. Stakeholders may not be in a position to delay production release as they have to meet promised delivery timelines. In this case, they prioritize and focus only on critical and high-level vulnerabilities. The general practice is to leave medium, low, and information level issues to be targeted in the subsequent release.

How Entersoft can support you with SAST

As a security vendor, we understand the programming stack the customer is opting for. Depending on the stage of development or release, we deliver both SAST and DAST using both automated tools and manual expertise. 

Automated scans are conducted using open source or commercial tools, such as Fortify from HP, Micro Focus Fortify, open-source tool SonarQube, Veracode (market leader for SAST), and Checkmarx. 

Once the automated scans are complete, a manual review helps identify false positives and also to detect vulnerabilities not identified by the tool. As tools are built based on patterns, at times, there are new changes added to the programming stack. A manual reviewer will have access to this documentation. He can assess code changes in the updated document and look into the code. Conversely, a SAST tool takes a lot of time to include these new changes into the system because it has to ascertain some patterns; a certain logic to identify a vulnerability. 

This is the value proposition of Entersoft – that we have highly qualified and certified ethical hackers who can carry out these assessments using automated tools and also manual reviews of the code based on the most recent standards, the latest threats, and patterns in any programming language. 

  • Enterprise customers

As an enterprise, you have the maturity in understanding both application development and the security aspects that go with it. You have the tools and an internal security team. By looking into the code and the vulnerability, you know what is important and what is not. However, you face certain challenges.

Firstly, there could be a long list of vulnerabilities not addressed during earlier release cycles. At times, a particular security risk throws up functional-level issues. Tight deadlines mean they have security challenges which they may not be able to fix in time. Your development teams require support to fix vulnerabilities with the shortest turnaround time possible. 

In this case, whenever you have a release cycle, Entersoft can provide a thorough source code security analysis. We can support your development teams to fix all security issues in a timely manner. We also perform external security audits in case of regulatory or compliance requirements. 

  • SMEs

When it comes to SMEs, in most cases, they don’t get a chance to conduct source code reviews at all. This results in a large number of vulnerabilities identified during SAST. 

As an SME, you may not have the tools, the required skillsets, or the budget to do a code analysis. However, you want to quickly resolve security issues because you are going live and the customer is asking for a security report. As your security partner, Entersoft provides support to address your entire pool of vulnerabilities. We can assign priorities and perform support activities – security peer review, automation, and manual analysis.