Incremental Code Review x Internal Code Review Tests
When having the first contact with our clients or even companies interested in our services there is always an intriguing question: Which is better, hire a consulting company or make internal tests?
This is one of the most challenging questions we try to answer when it pops up.
In this post, we will attempt to clarify the difference between Incremental Code Review and Internal Code Review tests.
A brief analysis
In the first moment, we have to understand that making incremental tests are always related to new code validation or codes that have been through some changes during the coding process.
This type of code review approach is related to the agile development process, therefore connected to the CI/CD structure of many companies, so the great doubt is when companies need to find solutions to improve their reviewing process, would it be better to make internal tests or even hire a consulting company to have these tests done?
To answer these questions we need to evaluate a series of parameters, but in a general way and by experience, yes, it is a good opportunity to hire a consultant, since the demands justify it, and the knowledge transfer volume is done uniformly throughout all teams.
What do companies win with external hiring?
When companies think about making internal tests, one important factor to be taken into consideration is the cost of an external service comparing to use their own workers. However, keep in mind that an external service offers more than just code review.
When taking action on incremental code review we act directly to development teams, exchanging ideas and explaining how the vulnerabilities can affect applications. Most of the time the lack of vision from internal teams is not connected to the lack of knowledge but on professional focus, the difference is that our analysts are focused on Application security while developers are focused on creating codes.
Meanwhile, the evaluation of external hiring should have been taken into consideration but, in most cases, it doesn’t happen due to the false pretense of the professional be good at both developing and security analysts. It could be true but there is a different reality that must be observed when hiring.
Another point to be considered by companies is that hiring or even acquiring such a tool to make DAST & SAST tests would suffice their needs. In some circumstances, these tests can help, but most DAST & SAST tests are used as support to the code review process and not as the main focus.
Tools such as DAST & SAST don’t review codes as deep as an analyst would do. When executing these tools patterns that will be searched are based inside a code, such patterns can, most of the time be identified correctly but they can also show, as normally do, a various amount of results called false positives, where a non-existing flaw is shown.
There is another point considered to be worse than the ones presented before, called false negatives where there is a vulnerability not shown by any tool. It can happen because machines don’t have the same capacity as a human being, if not observed can be but a small step to enter an application.
There is a cost hidden on internal tests
To maintain a team of analysts is another factor that mas be evaluated when choosing these internal tests or even hiring a service.
If we stop to think on how to implement a continuous process of security coding review some challenges must be validated, such as:
- Adopt worldwide methods of analysis. (your attacker can be anywhere)
- Recruit high-specialized professionals, because security analysts must be good programmers in all coding languages as well as a specialization on security
- Implement and keep efficient analyses management processes, Incremental Code Review needs to be done in every Build that is made, what can be hard to manage in some environments
- Select, acquire, install and setup tools to support all the continuous analysis process
- Implement and control a management system for vulnerabilities, so the reports can be registered and filed, as well as sent to be fixed up
- Implement and control retest cycles, so the identified vulnerabilities can be corrected and developed in a way to ensure that the bugfix was effective
- Develop and apply a training program for the teams to develop secure coding skills, reducing vulnerability in the code
- Consolidate data and present reports to direct the decision-making process and promote improvements
Being aware of the challenge makes things easier to see the benefits of hiring an outsource company to analyze and review codes.
When evaluating external sources of code review, is possible to see that service delivery is never an individual service. The implementation of this service reduces the deadline service significantly because of a pre-defined process tested, experimented and validated, being in a more advanced level of maturity.
Also, the organization receives a set of tools that have already been selected, tested and optimized, being quickly implemented during setup (about two weeks).
In this service model, as the professionals reviewing these codes are part of the outsource team, the organization will provide, as quick as possible a team of experienced analysts to cover a vast number of coding, frameworks, and stacks that are or will be used in the development process.
Another matter that is sometimes forgotten when hiring an external process is that we don’t need to worry about turnovers or professional development.
Finally, by hiring a management service, the organization will control vulnerability management as well as dashboard indicators and performance reports that will be used to measure your ROI the best result.