Secure Code Review Cheat Sheet

Automated Secure Code Review Manual Secure Code Review

Quickly find issues throughout your codebase. Use automation Requires developers who understands the intricacies of each
to consistently test throughout the software development issue. A great way to share knowledge and improve the team.
process.

Maintaina b ilit y and Com p le x it y

SAST
Overly complex code is difficult to maintain long-term and can
Static Application Security Testing for quickly find issues like allow bugs and vulnerabilities to slip through to production.
injection attacks, buffer overflows, and misconfigurations.T
R Does not require a complete build?
R Can run in your IDE?
R Some tools can also test IaC configurations. Con s ideration s F or N ew D e p endencie s

Look at the popularity, security and history of any new package.

More popular a package is, the more likely it will be maintained,
Secret Scanning have no known vulnerabilities, have security issues fixed quickly.

Detect plaintext hardcoded secrets in your codebase?

R Scans should be done early in the development process to E ncr yp tion
catch secrets before they even enter the git history?
R Tools like ggshield can be automated as a pre-commit hook.
Attackers can use vulnerabilities in logic to cause unexpected
behaviors. Experienced developers familiar with the data and
processes can often spot issues SAST tools can not.

SCA

Software Composition Analysis is used to find vulnerabilities
associated with third-party components in your codebase?
R Get a view into all third party dependencies?
R Track every version of every dependency in your code?
R Quickly identify any third party code with known issues.
E rror h andling
Make sure that your error messages aren’t too revealing,
exposing how your application works to attackers while ensuring
they provide enough coverage to be useful to the end user.

Great Secure Reviews Combine Automation, Tools and Manual Review