Scribd
Upload
181 views1 page

64be88b16d5329e132a64044 - Secure Code Review Cheat Sheet

Automated and manual secure code reviews each have benefits. Automated reviews can quickly find issues across large codebases but may miss intricacies, while manual reviews improve team knowledge but require developer time. Overly complex code is difficult to maintain and risks vulnerabilities, so new dependencies should be vetted for popularity, security history, and known issues before use. The best secure code reviews combine automation, tools, and manual review.

Uploaded by

test123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
181 views1 page

64be88b16d5329e132a64044 - Secure Code Review Cheat Sheet

Automated and manual secure code reviews each have benefits. Automated reviews can quickly find issues across large codebases but may miss intricacies, while manual reviews improve team knowledge but require developer time. Overly complex code is difficult to maintain and risks vulnerabilities, so new dependencies should be vetted for popularity, security history, and known issues before use. The best secure code reviews combine automation, tools, and manual review.

Uploaded by

test123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Secure Code Review Cheat Sheet

Automated Secure Code Review Manual Secure Code Review

Quickly find issues throughout your codebase. Use automation Requires developers who understands the intricacies of each
to consistently test throughout the software development issue. A great way to share knowledge and improve the team.
process.

Maintaina b ilit y and Com p le x it y


SAST
Overly complex code is difficult to maintain long-term and can
Static Application Security Testing for quickly find issues like allow bugs and vulnerabilities to slip through to production.
injection attacks, buffer overflows, and misconfigurations.T
R Does not require a complete build?
R Can run in your IDE?
R Some tools can also test IaC configurations. Con s ideration s F or N ew D e p endencie s

Look at the popularity, security and history of any new package.


More popular a package is, the more likely it will be maintained,
Secret Scanning have no known vulnerabilities, have security issues fixed quickly.

Detect plaintext hardcoded secrets in your codebase?


R Scans should be done early in the development process to E ncr yp tion
catch secrets before they even enter the git history?
R Tools like ggshield can be automated as a pre-commit hook.
Attackers can use vulnerabilities in logic to cause unexpected
behaviors. Experienced developers familiar with the data and
processes can often spot issues SAST tools can not.

SCA

E rror h andling
Software Composition Analysis is used to find vulnerabilities
associated with third-party components in your codebase?
R Get a view into all third party dependencies? Make sure that your error messages aren’t too revealing,
R Track every version of every dependency in your code? exposing how your application works to attackers while ensuring
R Quickly identify any third party code with known issues. they provide enough coverage to be useful to the end user.

Great Secure Reviews Combine Automation, Tools and Manual Review

You might also like