SECURITY RESOURCES > FAQs
Peer review is not a substitute for security code review. Peer code review is typically used to find functional bugs, so unless the review is targeted to find security vulnerabilities and, more importantly, the reviewers have a deep understanding of application security, many of the more critical security vulnerabilities and design flaws will be missed. In many cases the best-intentioned user requirement implemented without functional error can lead to the greatest security risk. As part of a broader software risk analysis or software assurance program, security code reviews should be included as a regular part of the development process.
While it is possible to identify security vulnerabilities in the source code manually, most companies do not have the skilled security resources or time available within the software development lifecycle that a manual code review requires, and therefore many companies that decide to perform a manual code review can only analyze a small portion of their applications. Limited by practicality to select a sample of applications to review, organizations thus end up with only partial insight into the security state of their applications. Some of the techniques frequently used to verify application security include automated source code review, static analysis, penetration testing, manual code review, threat modeling, and architecture review. All of these techniques are useful and important, but should be used strategically, where they are the most effective.
To learn more about these techniques please refer to "The Top Web Application Vulnerabilities and How to Hunt Them Down at the Source".
For a case study on how these techniques were applied to assure security of an open source application please download "Opening The Black Box - A Source Code Security Analysis Case Study".
With growing awareness of software vulnerabilities as a critical problem in information security, and with the availability of accurate, efficient source code vulnerability analysis technologies, implementing code reviews into software development is occurring much more often, and to a greater degree of success. Organizations may choose different models of integrating security code reviews into the development process depending on available resources such as security expertise and technologies, as well as project objectives. For detailed outline of the three main models, as well as decision-making and implementation process description, please refer to "Implementing Source Code Vulnerability Testing in the Software Development Life Cycle".
There is agreement among analysts that the earlier in the life cycle that security vulnerabilities are discovered, the cheaper they are to address. Research published by B. Boehm and V. Basali in IEEE Computer found that fixing a software defect after deployment costs more than 100 times what it would have cost to fix it at the first stages of the development life cycle. For security defects, late-stage costs are often much higher, because in addition to having to remediate the flaws, successful exploits may lead to data theft, sabotage, or other attacks.
Organizations can ensure security of their outsourced applications by requiring a security audit of the source code as part of the outsourcing contract. Ounce Labs has published sample contract language for software development that sets specific security standards and ensures that outsourced code is developed with security from the ground up, and is validated prior to acceptance. To download a copy of this contract language, please visit www.ouncelabs.com/assurance.
For more information about building security into outsourced development projects, click here.