Security News > 2021 > May > The basics of security code review

Familiarize yourself with markers of specific vulnerabilities so that you can identify source code patterns as you come across them.

In code analysis, "Sources" refer to a code component that allows for a vulnerability, and "Sinks" represent the places where the vulnerabilities occur.

To gather a quick understanding of the landscape, you can search by strings, keywords, and code patterns that typically indicate the presence of a vulnerability or misconfiguration.

To expand upon a quick initial search, focus on areas of code that deal with user input, which can provide entry points for attackers to exploit the application's vulnerabilities.

The best way to find open-source vulnerabilities is with SCA. SCA tools scan for discovered vulnerabilities by examining the open-source components within an application then comparing them to scans of public or private databases of known vulnerabilities associated with the application's dependencies.

While scanning tools are not a silver bullet solution, the best way to build secure and quality software is to use tools to find vulnerabilities and conduct manual code reviews to validate them all while the code is fresh in the mind of the developer.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/q55dtX9XCvg/