Challenges of assessing source code - SonarQube Tutorial

- [Instructor] While documenting your application's security controls provides a solid foundation for your static testing efforts, performing source code security reviews is going to make up most of your testing activity once that documentation is in place. The first thing a tester needs to understand is that code reviews and code security reviews are not the same thing. A source code review focuses on functionality. Does the application work? Does it do what it was designed to do? A source code security review focuses on resilience. Can an attacker break the application? Can that attacker make the app do something the developers didn't design it to do? For apps targeting customers in the U.S., let's consider the ZIP Code field for a moment. If your application asks the user to enter a home address, then there is likely a field for ZIP Code. From a developer's point of view, this is most likely a field that accepts user input, say, five numbers, and then compares that entry to a backend database that maps ZIP Codes to towns and cities that they represent. When performing a code review of the ZIP Code function, a QA tester might enter the numbers 93013 and expect the application to return the value Carpinteria. As long as the field accepts input and performs a valid lookup, the code does what it's supposed to do. That test would be considered successful. But then you, the security tester come along and instead of entering five numbers, you enter 20. Maybe you enter 257. Better yet, you don't enter any numbers at all. You enter escape characters and SQL database query strings. You enter anything but the expected five number input. Is the application coded in a way that expects you to do the unexpected? Does it fail gracefully or does it let you run commands directly against the database? A code review could very well miss this potential security flaw, but a code security review should find it almost right away. "Big deal." Your developer tells you. "They're just ZIP Codes, so what if someone can dump the entire database? It's public knowledge!" Right, ZIP Codes are public knowledge, but what other database tables are behind that application? Do any of them contain customer private data, account numbers, healthcare details? If your developers are using insecure functions for your ZIP Code lookups, what are the chances that they're using the same code snippet to look up sensitive information? It's your job as a security tester to think like an attacker, and every snippet of code that you review can provide you insight into how the developers approached building this application. A few lines of insecure code linked to a low-risk function could give an attacker renewed focus into how to break into the application, doing harm both to your company and to your customers. When it comes time to conduct a code security review, one of the first questions you'll need to answer is, "Are we going to perform manual reviews or automated reviews?" My answer, why not both? Automated reviews are essential if you want to quickly cover a lot of code in depth. Let's face it, we all have deadlines. The developers have their go-live dates and your testing needs to occur before then. Automation is the only way to make that happen. But don't walk away from manual source code security reviews entirely. There is tremendous value in keeping some aspect of source code security reviews in place for training and education purposes. If manual reviews help the developers learn how to spot insecure code while they're writing it, then what are the chances they'll change their ways and start writing secure code the first time around? Getting from where you are today to where you want to be will take time, and here are a few considerations to help you get there more quickly. First, application security testing cannot be haphazard if it's going to have a positive long-term impact. Be prepared to document well-defined processes along the way. Prototype your testing, find what works and write that down. Wash, rinse, repeat. Finding internal resources with security experience and knowledge will be your second challenge. You are taking this course to expand your knowledge in this space, and that's fantastic. Can you say the same for the rest of your security team? And what about your developers? You are going to need tools to automate all of this and tools come with training, a learning curve, and often some cost. I'm going to show you a couple of free and open source tools, but depending on your specific needs, you may need to budget for commercial tools at some point. If project timelines don't already include security testing activities, you'll get some pushback regarding adding extra work. Once you help the project team see the long-term value of this testing, then it becomes a matter of accounting for testing activities within those timelines. And finally, you're going to need to carve out time for everyone involved to perform some training on this topic. Everyone doesn't need the exact same training, but at a minimum, everyone does need to understand what you're doing and why you're doing it. Approaching every conversation about source code security reviews with these considerations in mind will help you key in to how you can effectively implement these reviews within your own organization.