In the software construction process, several steps are essential for the development to be carried out to follow quality and security standards. For the code to maintain these standards during development, we have two important approaches that can be used to validate software quality: code review and secure code review. In this article, we will discuss the importance of each one and how they are used. In general, the code review aims to identify possible failures, bugs, or opportunities for improvement in the source code according to the syntax and best practices of each language. While the secure code review focuses on identifying issues related to security vulnerabilities. If you are interested, OWASP provides complete material related to secure code review.
What is the difference between Code Review and Secure Code Review?
The goal of the code review is to find and point out failures, bugs, or opportunities for improvement in the software. The review can be done in pairs, or by just one developer, the most important thing is the code comprehension and dissemination among the developers.
Generally, the code review is done after each commit (when a code change is made), or in some cases with each Pull Request (when a portion of the code is requested from a branch). It is important that when doing the code review, the developer pays attention to good practices, in some cases the company itself usually has a development guide.
If the company does not have a good practice guide, it is essential to establish criteria for analyzing the codes. Next, we have some important points that can be taken into account in the analysis: code reuse, code complexity, variable naming, fields, parameters, or even if the classes or methods reflect what they represent.
Still talking about code review, it is possible to use manual or automated analysis. The manual analysis consists of the developer himself looking for problems, failures, or defects, using a guide or his own development experience. In automated analysis, tools are used to help standardize code quality (check if good practices are being applied), provide actionable insights at important points, and even reports of tests performed.
In addition, it is good to remember that both for code review and secure code review, there is no hierarchical discrimination for who is doing the review. However, it is necessary to know about software development and security (even more if the focus is secure code review).
For the code review to be efficient, it is worth establishing a certain frequency in the review, in addition to having a well-defined stage in which it should be carried out. Below, I listed some practices that can make your code review more efficient:
- Focus on quality during code review, not the number of lines.
- Prefer short times, however, with higher concentration, focus on quality.
- Establish clear goals and metrics, such as: “decrease reported errors”.
In the secure code review process, in addition to being based on some of the items mentioned in the code review, attention must be focused primarily on software security. It is important to be aware of possible security breaches, as some of these failures may be related to: authentication, authorization, session management, code injection, access control, and data entry, not limited to these.
The manual review in secure code review will focus on reviewing breaches related to code security. This review is usually more accurate, however, slower, through its business rules are taken into account, therefore, the tendency to have false positives can be reduced, which by the way is a great gain from this practice.
On the other hand, for better time optimization, we also have the automation of secure code review. During this process, SAST tools can be used to perform a code scan, allowing to automate part of the analysis process, and facilitating the search for gaps. Do you want to know more about the difference between code review and SAST?
We can conclude the code review is essential in development, and for it to be well structured, methods and tools must be adopted, such as a good practice guide, manual review, and automated tests. Each technique has a specific role in the process and, taken together, can lead to a significant improvement in software quality and security.
Manual review can identify flaws that other techniques fail to detect. Automated tests verify software functionality and security in different scenarios. The combination of these techniques can bring even more positive results, such as more efficient identification of vulnerabilities and continuous improvement of the code review process. Added to a good practice guide, it becomes even more powerful!
Remember: the code review seeks to improve the quality of the software in general, such as bugs, defects, and the dissemination of good practices in code analysis, the process focuses on quality, while secure code review focuses on finding security vulnerabilities.
