Application Security

Code Review and Pentest: know the differences

It is still common in the market to find companies with some doubts when it comes to safe development. For example, what are the differences between code review and pentest.

One of these doubts is related to the correct moment of some types of tests execution in the safe development process.

Thinking about it, we will present some concepts and information that we hope will clarify these doubts.

A complex and challenging scenario

Every beginning of the year we have a series of research and data that are published by several research centers and companies that try to map what happened in the previous year in the area of ​​Cybersecurity.

This year was no different, and one of the most anticipated reports is the one produced by NTT Security. And in this latest report, the data shows us that the scenario is becoming a little more complex and challenging.

The data may not be the most recent, but they still reflect much of the scenario that we find in the market.

Globally, the report shows that we continue to have more directed attacks at web applications than other technologies, mainly in the financial market and in companies in other sectors.

This data is confirmed when we realize that 43% of companies, in a global scenario, affirm that they do not have enough and or even qualified professionals to seek solutions to these problems.

If we bring the scenario closer to our reality, analyzing the data from the report for the Americas, we will find data very similar to the global data.

This fact can and goes against one of the arguments widely used by managers when we present data to demonstrate a point of view in our presentations, that these data refer to the global, European or USA-centered scenarios.

These data demonstrate the importance of understanding what the tests related and identified in the article are, as well as understanding how these tests can help in this scenario.

What a Pentest is and when to use it

In one of our articles, we have already dealt with pentests and even put our understanding of what a pentest is and how it should be used within a safe development process, and just to remind you, here is an excerpt from the article.

Pentest is a type of test that should be performed preferably within the Continuous Application Security process, ideally in the final stages, so that it is possible to observe the security of an application already in production.”

The issue is not only one of understanding, we also have managers and development professionals who are still unable to identify at what moment it is important to execute a pentest.

For this, we will describe what a secure development process is like, and within this context, place where the pentest is executed.

As shown in the image, the execution of pentests must take place in the testing phase of a development process.

The execution of pentest at this stage ensures that all security measures implemented during the development process are working as expected.

We wrote an article showing different types of pentests and we believe it can help on building knowledge.

What a Code Review is and when to use it

When we talk about Code Review, we need to understand that this is another type of test and that its purpose differs from pentest.

In this article we are not going to detail much about what a code review is, we already have another article describing the subject in a very detailed way.

If we use the same image above as a base, it is also clear that the use and execution of the code review happens at a very different time than when we performed a pentest.

We can see that the code review will be executed within the coding process, and it is one of the mechanisms used to guarantee the security of the code.

“Secure code review is probably the simplest effective technique for identifying security bugs early in the development process. When used in conjunction with automatic and manual intrusion tests, code review can significantly increase the effectiveness of verifying application security.”

Note by the statement above, that we can find in the OWASP Code Review Guide that there is no restriction in the use of both ways to test an application or code.

Quite the contrary, we realized that to guarantee the security of an application, we have to use several solutions, techniques and tools, all working together.

Security is not just a thing

We believe that by closing this article we were able to clarify the function and timing of each of the tests, but we are always open to help clarify any doubts that may have remained.

The important thing in the secure development process is to understand that the result of a secure code is not just a thing, the result of a secure code is achieved with a defined, clear and mature process.

The use of techniques and tools is a fundamental factor to achieve the objective of protecting the code.

But without leaving aside the human factor, the professional with his experience will always seek to solve problems and circumvent solutions that a tool would hardly do.

About author


Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

The Importance of Supply Chain to Application Security

When we think about software development, we usually think about complex technical concepts…
Read more
Application Security

What is WAAP (Web Application and API Protection)

Welcome to the world of Web Application and API Protection (WAAP), an advanced security approach…
Read more
Application Security

The challenges in application security in the use of artificial intelligence by developers

As artificial intelligence (AI) becomes more and more present in our daily lives, it has become…
Read more

Deixe um comentário