The document provides information on conducting code reviews to find vulnerable code. It discusses why code reviews are important, who should conduct them, when they should occur, and how to properly report any security issues that are found. The goal of code reviews is to improve code quality and find issues before they cause problems. The document also outlines how the Drupal security team handles reported vulnerabilities.

1. Code Review Looking for a vulnerable code Vlad Savitsky http://donetsk.drupal.ua

2. Code Review Looking for a vulnerable code

3. Twitter: У нас ввели code-review. – А это как? – Ну как, сидишь, читаешь код, ревёшь... http://twitter.com/#!/dallaylaen/status/129887114576920577

4. Overview Why review code? Who should do code review? Code Review or Person Review How to find a vulnerability? How to report about security problem?

5. Why review code? Increase code quality. Developers can learn new code. Learn new code best practices. To check if code is clear and easy to understand. Find vulnerable code.

6. What you shouldn't review? Bugs and mistakes. Coding Standard compliance.

7. When code should be reviewed? Before merging to trunk. Easy to review small pieces of code. Often is better.

8. When code should be reviews? Before adding new code to project. Contrib modules/themes Custom modules/themes Easy to review small pieces of code. Often is better.

9. Who should do code review? Team Lead Other developers

10. Code Review or Person Review Developers associate themselves with their code. Team Conflicts Ability to learn best practices .

11. Golden Rule of Code Review Do others code review as you want they do your code review.

13. Goal of Code Review Perfect code made by not perfect developers.

14. How to find a vulnerability?

16. Find XSS Find and inspect theme() functions. Does t() function used with proper placeholders. Does check_plain() or theme('placeholder') used for plain text? Does check_markup() or filter_xss() used for markup containing text?

18. SQL injection Bad code: db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']); Good code: db_query("SELECT foo FROM {table} t WHERE t.name = '%s' ", $_GET['user']); Does Database API used correctly?

19. Bad smelling code Bad smelling code in most cases should be refactored. http://sourcemaking.com/refactoring/bad-smells-in-code

20. Drupal Security Team

21. Goals of the security team Resolve reported security issues. Provide assistance for contributed module maintainers in resolving security issues. Provide documentation on how to write secure code . Provide documentation on securing your site

22. How to report a security issue Do not post in the issue tracker or discuss it in IRC. Mail to security@drupal.org Provide as many details as you can. At least: Drupal version and/or module version. Steps to reproduce the problem. Do not disclose the vulnerability to anyone before the advisory is issued. You will be credited in the security announcement

23. How the security team works with issues Review the issue and evaluate the potential impact on all supported releases of Drupal. If it is indeed a valid problem, the security team is mobilized to eliminate it . New versions are created and tested. New packages are created and uploaded to Drupal.org. When an issue has been fixed, use all available communication channels to inform users of steps that must be taken to protect themselves.

24. Issues with contributed modules The module maintainer is contacted with a deadline . When the maintainer fixes the problem, the security team issues an advisory. If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.

25. Happy Code Review!!!

26. Questions? Question #1 Question #2 Question #3