Software Security: Code Review

CODE REVIEW

 

Industries: Source Code Review (Malaysia)
Quite remarkable to know that industries in Malaysia are involving in current cyber security requirements by providing services such as code review and penetration testing. Some of them get involved since 2016 by supporting Multinational Company.

 

They are:
LGMS @ Asia Cybersecurity Exchange 
Go to: https://lgms.global/source-code-review/
Teleawan Sdn Bhd
Go to: https://www.teleawan.com/source-code-review
FIRMUS
Go to: https://firmussec.com/source-code-review/

 

Most of the industries globally use OWASP Code Review Methodology.
You may easily find the current version of OWASP CODE REVIEW GUIDE 2.0 from https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf
The contents are:
  • How to use the guide
  • Secure Code Review
  • Methodology
  • Reviewing by Framework
  • OWASP Top Ten A1 – A10 [refer below]
Related information:

OWASP Top 10 Web Application Security Risks

https://owasp.org/www-project-top-ten/
Globally recognized by developers as the first step towards more secure coding. – OWASP

 

Source Code Analysis Tools

Also known as Static Application Security Testing (SAST) Tools.  Others information:
  • Important Selection Criteria (of tools)
  • Open Source & Commercial Tools available

For details, go to: https://owasp.org/www-community/Source_Code_Analysis_Tools

 

Source Code Review vs. Penetration Testing for Web Application Security by Uladzislau Murashka. Penetration Testing Consultant, ScienceSoft.

 “The article gives a clear view of the importance of comprehensive security testing. For web applications involving sensitive data (Healthcare,Banking, Insurance web applications.) it’s a perennial must. While pentesting explores vulnerable application areas, which may let the hackers in, code review helps detect internal problems and inconsistencies. Though these problems are not visible to outside hackers, they may be at the root of application vulnerability. “ Elizabeth Barkaline (2017)

Go to: https://www.scnsoft.com/blog/web-applications-security-source-code-review-vs-penetration-testing  (accessed at April 28, 2020)

 

What you should know before you Pick Secure Code Review services?

Interesting article to know more about Secure Code Review services that consist the following:
  1. 4 processes in SSDLC’s Coding (or Development) Phase
  2. 4 types of Code Reviews
  3. Tools and checklist for Code Review
  4. Practices for organization’s secure code
Reference:
https://www.briskinfosec.com/blogs/blogsdetail/What-you-should-know-before-you-Pick-Secure-Code-Review-services

 

Top 10 Most Popular Code Review Tools For Developers And Testers

https://www.softwaretestinghelp.com/code-review-tools/

 

Top 40 Static Code Analysis Tools (Best Source Code Analysis Tools)

https://www.softwaretestinghelp.com/tools/top-40-static-code-analysis-tools/

As a computer security student and software developer,  I hope that we share the same excitement for the code review methodology and technology.

 

Your task for submission:
A page report that summarized the Code Review content here that you learn and understand.
Please include feedback – what do you know 1) before learning; 2) after learning and 3) how it will help you in the future job.
Submit to e-learning by Monday May 4, 4:03pm.

 

Thank you.
Ms Rashidah

BERSEMANGAT DAN FOKUS PSM 2

Assalamualaikum dan selamat kembali ke UTM. Pasti selepas Latihan Industri (LI), semangat dah lain.
Berkobar-kobar semua nak siapkan PSM 2 sem ini.

 

 “Zulhamdi belum LI, tak apa. Kita buat PSM 2 sama-sama, dapat aura sama!”

 

Ada info berkaitan agar dapat membantu kita fokus, berdasarkan kalendar tahun lepas. Kalau ada perubahan pun tak jauh larinya.
Boleh semak tarikh-tarikh penting PSM 2 dan tindakan yang patut dilaksanakan sebelum 12 Februari 2020 (Rabu, 5pm).
Laksana dengan gembira dan bersemangat setelah jelas matlamat. Bila hati kita gembira, hasil sudah semestinya baik.

 

**********************************************************
TARIKH – TARIKH PENTING PSM 2 20192020 SEM 2
**********************************************************
Minggu
Target Pencapaian
Tindakan
06(15 Mac)
40% Sistem/Eksperimen Siap
DEMO 1
11 (19 Apr)
70%  Sistem/Eksperimen Siap
DEMO 2
12 (26 Apr)
Draf Laporan PSM2 & Draf Kertas Kerja URC Siap
SEMAKAN SV
14 (10 Mei)
100% Sistem/Eksperimen, Laporan, Kertas Kerja URC & Slide Siap
SEMAKAN PENILAI
15 (17 Mei)
PSM 2 BENTANG & DEMO
PELAJAR /PENYELIA /PENILAI
TINDAKAN:
Kita telah tahu tarikh-tarikh penting bagi PSM 2. Langkah pertama bagi menaikkan semangat dan menjayakan PSM 2 sem ini, ayuh kita:

 

  1. Bina Blog PSM 2 yang akan dikira sebagai logbook PSM 2. Mohon hantar url dalam grup PSM 2. Info blog yang baik dan menarik bakal dianugerahkan 10/10 markah PSM2.
  1. Muat naik Carta Gantt PSM2. Biar kita jelas daripada awal, apa yang akan kita capai mengikut tempoh yang ada.
  1. Log dan aktiviti PSM 2 setiap minggu bermula hari Ahad setiap minggu. Selama 15 minggu yang mengandungi:
    1. Tujuan/matlamat
    2. Objektif/Aktiviti
    3. Hasil bakal dicapai minggu ini.
    4. Hasil tidak tercapai minggu lepas, tindakan mengatasi.
  1. Sebarang terbitan (post) aktiviti, diari santai, teori dan motivasi berkaitan Kita manusia, bukan robot. Biar gembira dan bermanfaat untuk kita dan yang lain. 
  1. Kemaskini No. 3 perlu dimaklumkan kepada Penyelia menerusi notifikasi emel.
Cukup dulu untuk minggu ini. Bersambung lagi akan datang.

 

 

Puan Rashidah
Rancang dengan baik, kemudian ikut dengan gigih.
Pasti, KEJAYAAN milik kita!

The difference between Authentication, Authorisation and Access Control

It is important to have a clear difference of security concept – authentication, authorisation and access control.  There are several discussion, some also provide analogy and comparison table. For better understanding you may study them and have your own definition.
They are:
  1. IBM Knowledge Centre [link]
  2. Priocept [link]
  3. CloudKnox [link]
  4. BU TechWeb[link]
DIY task in 10 minutes:  Write down your own definition of Authentication, Authorisation and Access Control on A4 paper. Submit during the class.
Rashidah Kadir 
20190920 12:57pm(Jumaat)

Pengesahan Penerbitan dan Insentif Penerbitan

Maklumat pustakawan UTM bagi :
Pengesahan Penerbitan/Insentif Penerbitan
Pn Norashikin Johari
Tel: 07-5530029
Email: norashikinjohari@utm.my
Pengesahan Kenaikan Pangkat/Insentif Penerbitan
Pn Syahranah Ahmad Raqi
Tel: 07-5530027
Email: syahranah@utm.my
Maklumat penerbitan boleh disemak di RADIS – https://radis.utm.my
Semakan sebaiknya dibuat dari masa ke semasa, bagi memastikan maklumat terkini telah disahkan.

LI: Recommended Actions for 2nd Round of LI Placement Application

LI CURRENT STAGE: 2nd round of LI placement application.

What’s the next action? No worries, here are some recommended actions from JKLI.

Recommended actions:
  • FOLLOW-UP the 1st and 2nd companies.
  • NO RESPONSE from company, then DECIDE
    • to KEEP WAITING (however, there must be a limit)
    • to WITHDRAWAL the application from the 1st and 2nd companies and  APPLY other company. Note: For WITHDRAWAL, send an email to the company, then forward to JKLI.
  • APPLY other company, proceed with new BLI-1C for the new company (the steps)

 

Do refer and follow the LI’s important dates. Click for larger table.

 

JKLI SCSR

rashidah@utm.my

LI: Company Profile

Please attach or update your BLI-1C form with Company Profile.

The Company Profile should include extracted information of:

  1. Company Information and Contact Details
  2. Company Website
  3. Company LinkedIn
  4. Company Overview
  5. Department/Unit Overview

Examples:

  • Business Name: ABC KH, Inc.
  • Business Address: 1240 North Expressway, Arizona
  • Phone: 111-222-8900
  • Fax: 111-333-444
  • Annual Sales: $75 million
  • Total number of Employees: 50
  • Number of Employees at Department/Unit: 11
  • Primary Line of Business: Wood Products

Back |LI main processes|

 

JKLI SCSR

@RK2017