Manual Code Reviews

Performing manual code reviews is essential to verify code quality and ensure that no code changes are overlooked. This collaborative approach fosters accountability and encourages peer engagement, reducing potential security vulnerabilities before they reach production.

Best Practices

Conduct Regular Manual Code Reviews

• Establish a code review policy that mandates peer reviews for all code changes. This helps ensure that multiple eyes have reviewed the code, which can catch security vulnerabilities that might be overlooked by the original author.
• Incorporate security-focused checklists into the manual review process to ensure that all security best practices are adhered to.
• Schedule code reviews as part of the development workflow to integrate security into the design and development lifecycles rather than handling it as a separate task.
• Provide training for developers on secure coding practices to facilitate more effective code reviews and to foster a culture of security awareness.
• Utilize tools that assist in manual code reviews, such as integrated development environment (IDE) plugins and issue trackers, to streamline the process and document findings.

Questions to ask your team

• How often do you conduct manual code reviews, and what is the process followed?
• Are there guidelines or checklists in place for the manual code review process?
• Who participates in the manual code reviews, and how are roles assigned?
• What tools do you use to assist in the manual code review process?
• How do you track the findings from manual code reviews, and what actions are taken to address identified issues?
• Is there a training program in place for staff involved in code reviews to enhance their security expertise?
• How do you ensure that the lessons learned from code reviews are incorporated into future development cycles?

Who should be doing this?

Security Analyst

• Conduct manual code reviews to identify potential security vulnerabilities.
• Collaborate with developers to provide feedback on security best practices.
• Ensure compliance with security policies and standards during code reviews.

Developer

• Implement coding standards that prioritize security.
• Participate in manual code reviews to receive feedback and improve code quality.
• Address security concerns raised during the code review process.

DevOps Engineer

• Integrate security testing tools into the CI/CD pipeline to complement manual reviews.
• Ensure that the deployment environment is configured securely.
• Monitor and report on security metrics during the deployment phase.

Project Manager

• Coordinate between development, security, and operations teams to ensure effective collaboration.
• Allocate resources and set timelines for code review processes.
• Facilitate training programs on secure coding practices for team members.

Quality Assurance Engineer

• Test the application for security vulnerabilities as part of the QA process.
• Work alongside developers to ensure security issues are identified and resolved before production.
• Review the outcomes of manual code reviews and contribute to continuous improvement efforts.

What evidence shows this is happening in your organization?

• Code Review Checklist: A checklist to guide manual code reviews, ensuring that security best practices are followed and all relevant security aspects are validated.
• Code Review Policy: A formal policy outlining the requirements for code reviews, specifying roles, responsibilities, and the frequency of reviews to maintain security standards.
• Automated Code Review Integration Plan: A plan detailing how automated tools will be integrated with manual code reviews, including steps for evaluating vulnerabilities and securing code across the development lifecycle.
• Security Review Guide: A comprehensive guide for developers and reviewers on how to conduct effective manual code reviews with a focus on identifying and mitigating security vulnerabilities.
• Training Material for Code Reviewers: Training resources designed for individuals involved in manual code reviews, covering best practices, common vulnerabilities, and security principles to ensure thorough assessments.
• Review Metrics Dashboard: A dashboard that displays metrics related to code reviews, such as number of reviews conducted, findings per review, and time taken to address security issues, helping to track security validation efforts.

Cloud Services

AWS

• AWS CodeGuru: AWS CodeGuru uses machine learning to automate code reviews, improving code quality and security by providing recommendations.
• Amazon Inspector: Amazon Inspector is a security assessment service that helps improve the security of applications deployed on AWS by automatically assessing for vulnerabilities.
• AWS CloudTrail: AWS CloudTrail enables governance, compliance, and operational and risk auditing of your AWS account, allowing you to track user activity.

Azure

• Azure DevOps: Azure DevOps provides tools for CI/CD that can incorporate automated security scans in the development workflow.
• Azure Security Center: Azure Security Center helps you to prevent, detect, and respond to threats, offering recommendations for security best practices.
• Microsoft Static Code Analysis: This tool automatically checks for vulnerabilities and ensures code quality during the development process.

Google Cloud Platform

• Cloud Build: Cloud Build is a CI/CD service that can integrate automated security and code quality checks into the build pipeline.
• Container Analysis: Container Analysis provides vulnerability scanning and metadata storage for container images to enhance security before deployment.
• Google Cloud Security Command Center: Security Command Center helps you gain visibility into your security posture and to protect your data, applications, and services.

Question: How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle?
Pillar: Security (Code: SEC)