Security Code Review and Secure Coding

4 min readMay 12, 2021

What is Security Code Review and Secure Coding? How important is it? Are Security Code Review and Secure Coding part of your Application Security program?

Security Code Review

Code Review is a process that a person (usually Application Security Engineers or another developers) reviews all or part of the code written by another developer. Security Code Review means a Code Review that attempts to find security related weaknesses in the code.

Secure Coding

Secure Coding is the practice of writing applications in a way that protects itself against known vulnerabilities.

How to implement Security Code Review

It mostly depends on the company! Manually code review is time consuming so if you have enough time and resources to do it, you can do it for every code commit! But usually companies don’t have enough resources, So you should select most important parts of the application, (for example Authentication, Payment, Ordering and other important parts) and do code review for those parts.

References

Code Review Developer GuideA code review is a process where someone other than the author(s) of a piece of code examines that code. At Google, we…
google.github.io

https://www.michaelagreiler.com/code-reviews-at-google/

mgreiler/secure-code-review-checklistContribute to mgreiler/secure-code-review-checklist development by creating an account on GitHub.
github.com

softwaresecured/secure-code-review-checklistA starter secure code review checklist. Contribute to softwaresecured/secure-code-review-checklist development by…
github.com

What can we do for Secure Coding?

You should train the developers! Developers should know most important vulnerabilities. And beside that they should know how they can develop their code to be free of vulnerabilities.

References

Secure Coding Training - Learn Security | Secure Code WarriorTurn upskilling into a game, and developers are hooked! Foster a spirit of friendly competition, as coders compete in…
www.securecodewarrior.com

Interactive Secure Development TrainingInteractive Cybersecurity Training. HackEDU offers comprehensive online Secure Development Training for your…
www.hackedu.com

SecureFlag - Secure Coding Training platform for Developers & DevOps engineersOur platform incorporates the latest advances in modern secure coding practices. Plus, it delivers on-demand "Adaptive…
secureflag.com

OWASP/Go-SCPYou can download this book in the following formats: PDF, Mobi and ePub. Go Language - Web Application Secure Coding…
github.com

Checkmarx/JS-SCPJavaScript Web Application Secure Coding Practices is available for online reading or download in pdf, MOBI and ePub…
github.com

Android Application Secure Design/Secure Coding Guidebook - Android Application Secure…Android is a trademark or a registered trademark of Google Inc. The company names, product names and service names…
www.jssec.org

https://developer.android.com/topic/security/best-practices

SEI CERT Coding StandardsThis site supports the development of coding standards for commonly used programming languages such as C, C++, Java…
wiki.sei.cmu.edu

As an Application Security Engineer how can I improve my Code Review/Secure Coding skills?

Know the most important vulnerabilities related to the application.(web, mobile and …)

OWASP Top TenThe OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad…
owasp.org

OWASP Mobile Top 10In 2015, we performed a survey and initiated a Call for Data submission Globally . This helped us to analyze and…
owasp.org

OWASP Application Security Verification StandardThe OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application…
owasp.org

OWASP/owasp-masvsThis is the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS). The…
github.com

Know the basics of Code Review/Secure Coding — Check the mentioned links and the following course

Secure Coding PracticesCybersecurity Java secure programming C/C++ Cryptography Authentication Methods Identifying vulernabilities C/C++…
www.coursera.org

Know the most important application architectures.

How to Design a Web Application: Software Architecture 101These are the decisions you wish you could get right early in a project.
www.educative.io

Software Architecture GuideOne of the undecided problems of software development is deciding what the boundaries of a piece of software is. (Is a…
martinfowler.com

Know the programming language,library,framework and all technologies related to the application. Use Youtube and other websites to learn a new language, framework and technologies.(we can’t master all available languages and frameworks! So you just need to know the basics to read the code)

freeCodeCamp.orgLearn to code for free.
www.youtube.com

edureka!Thank you for Subscribing! If you have not, Subscribe now! We are a live & interactive e-learning platform with the…
www.youtube.com

TeluskoHey Aliens!!! I make free programming tutorials from beginner to advanced level That includes Java for beginner…
www.youtube.com

Search for “X full course”, for example “Python full course” , “Spring full course”

Practice secure coding on your language or framework.

Use mentioned platforms like Secure Code Warrior, Hackedu and Secure Flag.To try Secure Code Warrior platform you can follow them and register for upcoming tournaments. When you register for a tournament you can have access to their platform.(great platform) Also for Secure Flag platform you can buy OWASP membership and get access to the platform:

OWASP Membership Information & BenefitsOWASP Membership Information & Benefits on the main website for The OWASP Foundation. OWASP is a nonprofit foundation…
owasp.org

Summary

Know vulnerabilities
Know the basics of Secure Coding
Know software architecture
Know the programming language and framework
Know secure coding of that language and framework

Original article: https://www.linkedin.com/pulse/security-code-review-secure-coding-mehdi-esmaeilpour/

Security Code Review and Secure Coding

Security Code Review

Secure Coding

How to implement Security Code Review

References

Code Review Developer Guide

A code review is a process where someone other than the author(s) of a piece of code examines that code. At Google, we…

mgreiler/secure-code-review-checklist

Contribute to mgreiler/secure-code-review-checklist development by creating an account on GitHub.

softwaresecured/secure-code-review-checklist

A starter secure code review checklist. Contribute to softwaresecured/secure-code-review-checklist development by…

What can we do for Secure Coding?

References

Secure Coding Training - Learn Security | Secure Code Warrior

Turn upskilling into a game, and developers are hooked! Foster a spirit of friendly competition, as coders compete in…

Interactive Secure Development Training

Interactive Cybersecurity Training. HackEDU offers comprehensive online Secure Development Training for your…

SecureFlag - Secure Coding Training platform for Developers & DevOps engineers

Our platform incorporates the latest advances in modern secure coding practices. Plus, it delivers on-demand "Adaptive…

OWASP/Go-SCP

You can download this book in the following formats: PDF, Mobi and ePub. Go Language - Web Application Secure Coding…

Checkmarx/JS-SCP

JavaScript Web Application Secure Coding Practices is available for online reading or download in pdf, MOBI and ePub…

Android Application Secure Design/Secure Coding Guidebook - Android Application Secure…

Android is a trademark or a registered trademark of Google Inc. The company names, product names and service names…

SEI CERT Coding Standards

This site supports the development of coding standards for commonly used programming languages such as C, C++, Java…

As an Application Security Engineer how can I improve my Code Review/Secure Coding skills?

OWASP Top Ten

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad…

OWASP Mobile Top 10

In 2015, we performed a survey and initiated a Call for Data submission Globally . This helped us to analyze and…

OWASP Application Security Verification Standard

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application…

OWASP/owasp-masvs

This is the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS). The…

Secure Coding Practices

Cybersecurity Java secure programming C/C++ Cryptography Authentication Methods Identifying vulernabilities C/C++…

How to Design a Web Application: Software Architecture 101

These are the decisions you wish you could get right early in a project.

Software Architecture Guide

One of the undecided problems of software development is deciding what the boundaries of a piece of software is. (Is a…

freeCodeCamp.org

Learn to code for free.

edureka!

Thank you for Subscribing! If you have not, Subscribe now! We are a live & interactive e-learning platform with the…

Telusko

Hey Aliens!!! I make free programming tutorials from beginner to advanced level That includes Java for beginner…

OWASP Membership Information & Benefits

OWASP Membership Information & Benefits on the main website for The OWASP Foundation. OWASP is a nonprofit foundation…

Written by Mehdi Esmaeilpour