ENG 812: Security Code Review
This course presents the primary techniques used to conduct a security code review, with the focus of identifying potential security vulnerabilities. Numerous exercises and examples of code are provided, along with guidance on how to efficiently identify areas that need a more in-depth review.
Upon completion of this course, participants will be able to:
- Implement discovery methods to uncover flaws in the source code
- Apply the knowledge of detecting security vulnerabilities to perform a successful security code review
- Use manual methods as well as automated tools to conduct source code reviews
- Leverage the results of code reviews to make improvements in the secure software development process
Introduction to Secure Code Review
This module introduces participants to key terms and how they are used in this course. The focus is on understanding the basic concepts behind a secure code review and the techniques required to perform a successful review.
Secure Code Review Methodology
This module presents the methodology used to perform a secure source code review, which includes identifying the types of issues to examine in the code, and then how to remediate these vulnerabilities as quickly and effectively as possible. Students will use threat models, architecture diagrams, and other inputs to guide the review, and then leverage the list of discovered vulnerabilities to guide future reviews.
Common Hotspots in Source Code Review
This module presents the common hotspots that are susceptible to vulnerabilities. The goal is to understand the various types of static code vulnerabilities, their impact, and how to detect them by reviewing the source code. Demonstrations and code snippets will be used to showcase these issues.
Application-specific Hotspots in Source Code Review
This module explains the various ways to detect business logic flaws in applications, and how to identify vulnerabilities that surface due to specific application features.
Post Code Review Activities
This module explains the various activities that should be performed once the code review phase has been completed. These activities range from bug prioritization to security knowledge transfer for the development team, so as to avoid repetition of these bugs in the future. The module concludes with a discussion of the various approaches that can be used to perform the source code review, along with the pros and cons of each approach.