Code Review and Pentest, What they are and when to use them
It is still common in the market to find companies with some doubts when it comes to safe development. For example, what are the differences between code review and pentest.
One of these doubts is related to the correct moment of some types of tests execution in the safe development process.
Thinking about it, we will present some concepts and information that we hope will clarify these doubts.
A complex and challenging scenario
Every beginning of the year we have a series of research and data that are published by several research centers and companies that try to map what happened in the previous year in the area of Cybersecurity.
This year was no different, and one of the most anticipated reports is the one produced by NTT Security. And in this latest report, the data shows us that the scenario is becoming a little more complex and challenging.
The data may not be the most recent, but they still reflect much of the scenario that we find in the market.
Globally, the report shows that we continue to have more directed attacks at web applications than other technologies, mainly in the financial market and in companies in other sectors.
This data is confirmed when we realize that 43% of companies, in a global scenario, affirm that they do not have enough and or even qualified professionals to seek solutions to these problems.
If we bring the scenario closer to our reality, analyzing the data from the report for the Americas, we will find data very similar to the global data.
This fact can and goes against one of the arguments widely used by managers when we present data to demonstrate a point of view in our presentations, that these data refer to the global, European or USA-centered scenarios.
These data demonstrate the importance of understanding what the tests related and identified in the article are, as well as understanding how these tests can help in this scenario.
What a Pentest is and when to use it
In one of our articles, we have already dealt with pentests and even put our understanding of what a pentest is and how it should be used within a safe development process, and just to remind you, here is an excerpt from the article.
“Pentest is a type of test that should be performed preferably within the Continuous Application Security process, ideally in the final stages, so that it is possible to observe the security of an application already in production.”
The issue is not only one of understanding, we also have managers and development professionals who are still unable to identify at what moment it is important to execute a pentest.
For this, we will describe what a secure development process is like, and within this context, place where the pentest is executed.
As shown in the image, the execution of pentests must take place in the testing phase of a development process.
The execution of pentest at this stage ensures that all security measures implemented during the development process are working as expected.
We wrote an article showing different types of pentests and we believe it can help on building knowledge.
What a Code Review is and when to use it
When we talk about Code Review, we need to understand that this is another type of test and that its purpose differs from pentest.
In this article we are not going to detail much about what a code review is, we already have another article describing the subject in a very detailed way.
If we use the same image above as a base, it is also clear that the use and execution of the code review happens at a very different time than when we performed a pentest.
We can see that the code review will be executed within the coding process, and it is one of the mechanisms used to guarantee the security of the code.
“Secure code review is probably the simplest effective technique for identifying security bugs early in the development process. When used in conjunction with automatic and manual intrusion tests, code review can significantly increase the effectiveness of verifying application security.”
Note by the statement above, that we can find in the OWASP Code Review Guide that there is no restriction in the use of both ways to test an application or code.
Quite the contrary, we realized that to guarantee the security of an application, we have to use several solutions, techniques and tools, all working together.
Security is not just a thing
We believe that by closing this article we were able to clarify the function and timing of each of the tests, but we are always open to help clarify any doubts that may have remained.
The important thing in the secure development process is to understand that the result of a secure code is not just a thing, the result of a secure code is achieved with a defined, clear and mature process.
The use of techniques and tools is a fundamental factor to achieve the objective of protecting the code.
But without leaving aside the human factor, the professional with his experience will always seek to solve problems and circumvent solutions that a tool would hardly do.