Mastering The Security Code Review

Secure, Clean, Scalable, and Effective Code Reviews for Teams

What you'll learn

Learn how to setup a process for conducting efficient and effective security code reviews

Dive into the human side of code reviews and learn how to communicate with your team

Review examples of Code Review Checklists, Reports, and Metrics

Gain insight into scoping techniques based on Data Flow Decomposition and Threat Modeling

Learn about common vulnerabilities to look for when performing a security code review

Find out how to spot anti-patterns during code reviews

Get actionable information on code crawling techniques to help focus your review

Gain insight into how automation with SAST tools can support your code review efforts

Requirements

An understanding of basic software development and security practices are helpful.

Description

Unlock the key to secure software development with Mastering the Security Code Review. This comprehensive course is designed for developers, security professionals, and anyone involved in the software development lifecycle who wants to enhance their skills in identifying and mitigating security vulnerabilities through effective code review practices.Course Highlights:Understanding Security Principles: Explore foundational security principles and concepts to establish a strong knowledge base for secure coding practices.Code Review Process: Learn a systematic approach to conducting security code reviews, from setting objectives to prioritizing findings.Identifying Common Vulnerabilities: Gain hands-on experience in identifying and understanding common security vulnerabilities, including injection attacks, authentication flaws, and more.Secure Coding Best Practices:Explore industry best practices for writing secure code and learn how to integrate security considerations into the development process.Tools and Techniques: Familiarize yourself with popular code analysis tools and techniques used in security code reviews to streamline the review process.Code Review Automation: Discover how to integrate automated tools and scripts into your code review process to enhance efficiency and accuracy.Collaboration and Communication: Explore effective communication strategies for collaborating with development teams, fostering a culture of security awareness.Documentation and Reporting: Learn how to create comprehensive and clear documentation and reports to communicate findings and recommendations to stakeholders.Continuous Improvement: Discuss strategies for incorporating security code reviews into the broader software development lifecycle and fostering a culture of continuous improvement.This course is designed to equip participants with the skills and knowledge needed to confidently conduct security code reviews and contribute to building secure software. Join us on this journey to enhance your expertise in securing applications from potential threats and vulnerabilities.

Overview

Section 1: Introduction

Lecture 1 Introduction

Lecture 2 The Security Code Review

Lecture 3 Course Structure and Content

Section 2: Foundation Concepts

Lecture 4 Building Secure Software

Lecture 5 Risk Management

Section 3: Reviewing Code - Not People

Lecture 6 When Your Code is Being Reviewed

Lecture 7 When You Are Reviewing Code

Section 4: Conducting the Security Code Review

Lecture 8 Secure Code Review Maturity

Lecture 9 The SCR Process

Lecture 10 SDLC and the Secure Code Review

Lecture 11 Vulnerability Lists as a Guide

Lecture 12 Data Flow as a Guide

Lecture 13 Threat Modeling as a Guide

Lecture 14 Metrics

Lecture 15 Templates for Checklists, Reports, and Metrics

Section 5: What to Look For: Code-Based Vulnerabilities

Lecture 16 Types of Vulnerabilities

Lecture 17 Deep Dive: Authorization and Session Management

Lecture 18 Deep Dive: Cookies

Lecture 19 Deep Dive: Input Validation

Lecture 20 Deep Dive: Error Handling and Logging

Section 6: What to Look For: Anti-Patterns and Bad Practices

Lecture 21 What is an Anti-Pattern?

Lecture 22 Deep Dive: Not Knowing What Libraries Contain

Lecture 23 Deep Dive: Using Production Data

Lecture 24 Deep Dive: Blacklists for Input Validation

Lecture 25 Deep Dive: Unsafe String Concatenation

Lecture 26 Deep Dive: Systems That Can't Be Updated

Section 7: Crawling the Code

Lecture 27 Code Crawling 101

Lecture 28 HTML Tags

Lecture 29 HTTP Request Strings

Lecture 30 HTML Output and Cookies

Lecture 31 Input Controls

Lecture 32 SQL and Databases

Lecture 33 JavaScript

Section 8: Leveraging Automation

Lecture 34 SAST Basics

Lecture 35 Common SAST Tools

Lecture 36 SAST Supports the Code Review

Lecture 37 Coverage and Focus

Section 9: Conclusion

Lecture 38 Summary and Thank You

Application Security Architects,Application Developers,Software Engineering Professionals,Engineering Managers,Security Managers