Source Code Review: Stategies
Hey folks,
Now, It is time to go over the strategies I use for my code review. Source code review can indeed be daunting at times. However, if done correctly, it is pure bliss and gives you more satisfaction.
Overview
I will outline a few strategies that I love to use. Then, we will go deeper and look at how it is done and what are its pros and cons.
- Coverage first review
- Keyword-based review
- functionality based review
- top-down review
- bottom-up review
- Automated review
1. Coverage first review
In this type of review, the reviewer will go through all the files from start to end and try to find if there are any critical bugs. This can also be done incrementally when a PR is made to the main branch. This kind of review is similar to a security review before pushing the code to the repo.
Speed of review: Low
Time to find the first bug: High
Coverage: High
False positive: Low
2. Keyword-based review
In this review, we search for potentially bad keywords like exec(), os.system() . We can also use regex to search for any API keys or hashes. This can also be replaced by automation through scanners.
Speed of review: High
Time to find the first bug: Low
Coverage: Medium
False positive: Low
3. Functionality based review
On a functionality-based review, we only care about a single or multiple functions. For example, we might look into the upload functionality and check for all the vulnerabilities related to the upload function such as bypass file type, large file upload, or upload with metadata.
Speed of review: High
Time to find the first bug: Medium
Coverage: Low
False positive: Low
4 . Top-down review
In this review, we start with the input field from the user or other medium into the application, then go till we reach the end of that data. Here, we are following the flow of the data till it reaches the entity such as DB, or goes to another application.
Speed of review: Medium
Time to find the first bug: Medium
Coverage: Medium
False positive: Low
5. Bottom-up review
In this review, we start with the output or databases and move up till we reach the input section of the code. Here, we are following the flow of the data till it reaches the entity such as input endpoints.
Speed of review: Medium
Time to find the first bug: Medium
Coverage: Medium
False positive: Low
6. Automated review
Here, we will use automated scanner like Sonarcube or Semgrep to get the work done. This can also be coupled with any of the above approaches.
Speed of review: High
Time to find the first bug: High
Coverage: High
False positive: High
Conclusion:
I hope these strategies help you in your security journey. Feel free to join the fuffsec family "subscribe" button.
Thanks for all your support.
Other interesting blogs:
