Checking the security of source code is a specialized task that includes manual and automatic verification of the source code of the program in order to identify shortcomings related to security in the code.
The code security check informs developers about the reliability of the source code in each of the following areas:
• Session Management
• Data validation
• Error handling
• Event logging
When to perform a code security check
Security should be in the spotlight throughout the development lifecycle. Creating threat models at the design stage, teaching developers methods of safe coding and conducting regular expert code checks with involved security personnel – all this will help to improve the overall quality of the code and reduce the number of messages about code security problems.
However, this service is best used at the end of the source code development, when most or all the functionality is already implemented. The reason for waiting until the late stage of development is that checking security of the code is expensive and takes a long time. Doing this once at the end of the development process helps reduce costs.
Manual or automatic verification
Technology of automated tools is effective only if certain types of shortcomings are detected. One automated tool can be useful in detecting some problems, but can not detect others. In this connection, R&B team experts practice the use of several automated tools that help to mitigate this problem, but does not guarantee the detection of all problems. Automated tools also tend to provide false positives (results that are not really problems are reported). Evaluation of false positives requires human intervention and takes time from the development team.
Our company uses the best approach to validate the security of the code, it consists in understanding the advantages and disadvantages of each method and including them if necessary.