GUEST ESSAY: 6 ways to use a ‘secure code review’ to engrain security during software development

By Amit Ashbel

An application or update is days, or possibly just hours away, from release and you’ve been working hard to ensure that security tools and processes are integrated throughout the development process. You believe you’ve followed all the steps and your app is ready to go, right?

Wrong. You have one more step in the security process before you can give the green light: a secure code review.

Related podcast: How application security testing can dovetail into ‘DevOps’



If you’re wondering what a secure code review is, it’s the process organizations go through to identify and fix potentially risky security vulnerabilities in the late and final stages of development. They serve as a final step to ensure your code is safe and that all the dependencies and controls of the application are secured and functional. Here are six fundamentals to onboarding secure software.

Run through a checklist. This may seem obvious, but keeping the review process consistent is extremely important. When conducting manual code reviews, make sure all reviewers are working off of the same comprehensive checklist. Enforce time constraints as well as mandatory breaks for manual code reviewers. It’s important to ensure the reviewers are at their sharpest, especially when looking at high-value applications.

Keep things positive. It’s easy to single out developers for mistakes. However, if you want to build a positive security culture, it’s important to refrain from playing the blame game; this only serves to deepen the gap between security and development. Use your findings to help guide your security education and awareness programs, using mistakes as a jumping off point to spotlight what developers should be looking out for.

Rely on a mix of humans and tools. Tools aren’t armed with the mind of a human, and therefore can’t detect issues in the logic of code and the risk to the organization if such a flaw is left unfixed. Thus, a mix of static analysis testing and manual review is the best combination to avoid missing blind spots in the code. Use your team’s expertise to review more complicated code and valuable areas of the application, and rely on automated tools to cover the rest.

Create a defense with depth. At some point, even when being overly cautious and taking all the necessary steps to ensure safe code, a breach can still happen. To combat that, practice “defense in depth”. This principal is all about layering defense tools in order to minimize the number of holes in an application that would allow different attacks to take place. The idea behind defense in depth is that if one security layer fails, the next will be there to catch whatever attacks fall through the cracks of the first layer.

Track patterns and continuously monitor. By tracking repetitive issues that show up on reports and applications, you can help inform future reviews by modifying your secure code review checklist, as well as your AppSec awareness training. Monitoring code offers great insight into the patterns that could be the cause of certain flaws, and will help you when you’re updating your review guide.

Review, review and review some more. If you have a secure Software Development Life Cycle in place, you understand the value of testing code on a regular basis. Secure code reviews don’t have to wait until just before release, instead, review code each time a meaningful change has been introduced. For major applications, try performing manual code reviews when new changes are introduced, saving time and human brainpower by having the app reviewed in chunks.

About the essayist: Amit Ashbel is a cybersecurity evangelist at Checkmarx

More stories related to software security:
Done right, pairing of DevOps and cybersecurity coordinates strengths of both
To get ahead of threat curve, boost security during software development
Security by design: Embed protection during software development

 This article originally appeared on

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone