Your SlideShare is downloading. ×
Manual Code Review
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Manual Code Review


Published on

null Bangalore Chapter - March 2014 Meet

null Bangalore Chapter - March 2014 Meet

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Manual Code Review - Sandesh Anand
  • 2. Who am I? • Security Consultant at Cigital Inc. • Ex-Developer • Areas of interest – Static analysis – Helping developers fix security bugs – Web App pen testing – Curious about all things security
  • 3. What are we talking about? • Why review code? • Automated v/s Manual review • Manual review – 10,000 ft. view • Manual code review in 60 seconds
  • 4. Why review code? • Finding bugs early in the lifecycle is cheaper • Different visibility to code – Reach all parts of code – Some issues only visible in code review (examples in the Demo) – Helps in identifying “where” the problem is
  • 5. Why review code? • So, pen testing is useless, right? Not quite. Why not? – Don’t want to be killed by a room full of pen- testers – Better at proving “exploitability” – Makes it easier to evangelize security it an organization – Coverage different from code review (e.g.: Issues in application sever configuration) – Understand what a hacker is looking at
  • 6. Automated v/s Manual This topic never ends. Here are some highlights: • Automated tools can plough through more code at lesser time. Very useful for large applications • Manual code review uses knowledge available to the tester • Tool support for certain programming languages stronger than the other (Java v/s Perl) • Quality of manual review depends on individual And so on….. Bottom line: Use both in a complimentary manner
  • 7. Manual review – 10,000 ft. view • Understand the application – Purpose of the application – Flow of the application – Technologies used – Environment (type of DB, frameworks, AppServer etc.) – Business logic – Etc. • Understand the approach to security controls: – Authentication and Authorization – Handling un-trusted data – Handling sensitive information – Session handling – Network boundaries – Error handling and logging – Misuse of security related APIs (crypto, randomness etc.) – Etc. • Look for specific vulnerabilities – Issues common to most applications (e.g.: Race condition, resource management, information leakage, validation routines) – Language specific issues (e.g.: Format string attacks in C) – Framework specific issues (e.g.: review ACEGI configuration) – Looking for malicious code/ Insider threat
  • 8. Manual code review in 60 seconds
  • 9. Manual code review in 60 seconds • Understand the application • Review security control (Hint: Pick logging) • Look for specific vulnerabilities
  • 10. Questions?