Protecting Our Code

What’s the best way to keep our code safe?

Image By freepik

No Man Is an Island

Software flaws can provide hackers with a first point of entry into systems that would otherwise have strong security measures. Furthermore, small mistakes can have far-reaching effects. For example, Heartbleed, small bug in OpenSSL that exposed the personal information of millions of users.

No matter how good they are, developers can never catch everything. Everybody has knowledge gaps and exhaustion periods. But gaps are closed when colleagues’ varied experiences and new perspectives are brought to bear.

Gerald Weinberg, a trailblazing computer scientist, once stated, ” Testing does not improve a product; the improving is done by people fixing the bugs that testing has uncovered.”

Peer review has been shown to have a favourable impact on software quality in the past; testing by itself did not reveal significantly more defects as peer review did. According to additional studies, code reviewed by a peer had far less critical to high vulnerabilities when it was launched than code created alone.

Obviously, to strengthen our systems, we need to take advantage of peers’ intelligence. But precisely how?

Together We Refine

First and foremost, security review must be incorporated early on in the software development life cycle. When significant adjustments are required, waiting until later phases impedes progress.

Reviews must concentrate on identifying common vulnerabilities as categorized in resources like MITRE’s CWE or OWASP’s Top 10 list, paying close attention to areas like input validation, authentication, encryption, and access controls that are vulnerable to attacks.

I recommend a simple, frequent review method for best results. Short, iterative tests prevent developers from being overwhelmed and identify problems early on before too much is built upon a fragile foundation.

Automated systems can help reviewers by doing preliminary security scans. However, small problems missed by static analysis techniques are picked up by manual inspection. Humans are excellent at context-based reasoning, or figuring out how various parts work together in alignment with Business workflows. We must harness this ability. 

Use checklist templates that concentrate on priority risks unique to the design of the system and data sensitivity to save time. Help reviewers go beyond language and protocol compliance to the logic of the code and data flows.

None Of Us Is as Smart as All of Us

Having work critiqued may appear judgmental to certain developers. Promoting a no-blame culture where the emphasis is on writing better code rather than criticizing coders is paramount.

Reward individuals who spot critical weaknesses and provide coaching to those who make mistakes in order to strengthen skills. Gaining trust increases cooperation and collaboration.

Rotating reviewers among projects also aids in knowledge dissemination. To prevent conflicts of interest, managers can also choose impartial reviewers who have no stake in the code.

Demand unbiased, actionable feedback that is based on facts rather than opinions. Remarks such as “this code is sloppy” are useless; it would be more beneficial to specify exactly what needs to change and why.

Lastly, communication need to be reciprocal. Developers & Architects should justify design choices and ask reviewers for clarity. Even when a technique is sound, it is often the case that explaining one’s reasoning exposes mistakes.

Stay Focused on The Solution, Not The Problem

Peer review is very beneficial, yet there is sometimes opposition to its introduction. Developers could take offense at perceived criticism or view it as needless additional work. How can we get past resistance?

First, make it
First, make it abundantly evident how reviewing helps everyone by averting high-cost security failures.

The significance of teaching secure coding practices is further highlighted

Next, reduce time constraints by designating office hours for code review and prioritizing quality over quantity. Supervisors ought to regard reviewing as just as important as developing code.

Recognize that change is difficult, then work together to establish expectations to gain support. Encourage top coders to participate as reviewers; developers will be more responsive to criticism from people they respect.

The Price of Doing The Same Old Thing Is Far Higher Than The Price Of Change

Advancements in technology open fresh opportunities to enhance peer review. Modern code review platforms streamline workflows and data analytics can pinpoint risky parts of code most needing human eyes.

Technological developments create new avenues for improving peer review. Workflows are streamlined by modern code review platforms, and data analytics can identify risky parts of code that need human review the most.

The Quality Assurance Lead provide some good examples of such tools

More specifically, inline commenting and feedback sharing are made simple by systems that integrate with repository servers like GitHub. Data sharing between reviewers and scanners is made possible by standards such as SARIF.

Natural Language Processing (NLP) approaches for text and code analysis can quantify complexity and identify high-risk patterns. Manually review the less readable modules that are most likely to have hidden defects.

Some teams now simulate attacks on code in sandboxes for sensitive systems. Attempting to bypass defences makes it easier to identify their vulnerabilities.

Blossoming disciplines such as Chaos Engineering also contribute to the answer of the additional question: how comfortable are we with our code in the event of the unavoidable unexpected? Well-designed tests cases can reveal hidden fragility.

Build Your House on A Solid Rock, Not On Sand

In summary, peer code review is a tried-and-true safeguard that is all too frequently overlooked in the code development. It makes use of state-of-the-art tools while encapsulating decades of experience in software engineering.

No project, company, or developer should believe that their code is so perfect that it doesn’t require additional review from other eyes. We can build more stronger digital foundations by incorporating collaborative review into the development process and investigating new technologies that facilitate reviews.

Since successful cyberattacks are growing more frequent by the day, we must always be improving our system security and incorporating cyber resilience into our code.

Further Reading:

OWASP Code Review Guide

Open Source Security Foundation

Related Articles

How Can ITM Help You?

IT Minister covers all aspects ofIT Minister covers all aspects of Cyber Security including but not limited to Home cyber Security Managed Solutions to automated, Manage Threat IntelligenceDigital Forensic InvestigationsPenetration TestingMobile Device ManagementCloud Security Best Practice & Secure Architecture by Design and Cyber Security Training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.