Software Security: Code Review

CODE REVIEW

 

Industries: Source Code Review (Malaysia)
Quite remarkable to know that industries in Malaysia are involving in current cyber security requirements by providing services such as code review and penetration testing. Some of them get involved since 2016 by supporting Multinational Company.

 

They are:
LGMS @ Asia Cybersecurity Exchange 
Go to: https://lgms.global/source-code-review/
Teleawan Sdn Bhd
Go to: https://www.teleawan.com/source-code-review
FIRMUS
Go to: https://firmussec.com/source-code-review/

 

Most of the industries globally use OWASP Code Review Methodology.
You may easily find the current version of OWASP CODE REVIEW GUIDE 2.0 from https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf
The contents are:
  • How to use the guide
  • Secure Code Review
  • Methodology
  • Reviewing by Framework
  • OWASP Top Ten A1 – A10 [refer below]
Related information:

OWASP Top 10 Web Application Security Risks

https://owasp.org/www-project-top-ten/
Globally recognized by developers as the first step towards more secure coding. – OWASP

 

Source Code Analysis Tools

Also known as Static Application Security Testing (SAST) Tools.  Others information:
  • Important Selection Criteria (of tools)
  • Open Source & Commercial Tools available

For details, go to: https://owasp.org/www-community/Source_Code_Analysis_Tools

 

Source Code Review vs. Penetration Testing for Web Application Security by Uladzislau Murashka. Penetration Testing Consultant, ScienceSoft.

 “The article gives a clear view of the importance of comprehensive security testing. For web applications involving sensitive data (Healthcare,Banking, Insurance web applications.) it’s a perennial must. While pentesting explores vulnerable application areas, which may let the hackers in, code review helps detect internal problems and inconsistencies. Though these problems are not visible to outside hackers, they may be at the root of application vulnerability. “ Elizabeth Barkaline (2017)

Go to: https://www.scnsoft.com/blog/web-applications-security-source-code-review-vs-penetration-testing  (accessed at April 28, 2020)

 

What you should know before you Pick Secure Code Review services?

Interesting article to know more about Secure Code Review services that consist the following:
  1. 4 processes in SSDLC’s Coding (or Development) Phase
  2. 4 types of Code Reviews
  3. Tools and checklist for Code Review
  4. Practices for organization’s secure code
Reference:
https://www.briskinfosec.com/blogs/blogsdetail/What-you-should-know-before-you-Pick-Secure-Code-Review-services

 

Top 10 Most Popular Code Review Tools For Developers And Testers

https://www.softwaretestinghelp.com/code-review-tools/

 

Top 40 Static Code Analysis Tools (Best Source Code Analysis Tools)

https://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/

As a computer security student and software developer,  I hope that we share the same excitement for the code review methodology and technology.

 

Your task for submission:
A page report that summarized the Code Review content here that you learn and understand.
Please include feedback – what do you know 1) before learning; 2) after learning and 3) how it will help you in the future job.
Submit to e-learning by Monday May 4, 4:03pm.

 

Thank you.
Ms Rashidah