Secure Code Reviews: Discussion and Web Show

Secure Code Reviews: Discussion and Web Show

Henry Dalziel | General Hacking Posts, Hacker Hotshots, Resources and Tutorials | July 23, 2013

If you’re a coder and reading this then make sure you put some time aside July 24th for our Hacker Hotshot web show with Sherif Koussa. The event, usual time – 12 EST, titled: “Secure Code Reviews Magic or Art?” is aimed at coders who can learn how to toughen up their code.

What is this Hacker Hotshot all about?
Sherif is going to explain, amongst other things, two main points:

  • How security code reviews are an excellent way to reveal security flaws within source code
  • The essential steps that you must take, and required skills and tools to kick-off security code reviews at your organization.

Who is Sherif Koussa
Sherif @Skoussa has over a decade of experience in the software development industry, with his recent past being focused on application security. Whilst there is an abunance of security layers and understanding of networking there is, in comparison, very little on application security, so if you just stumbled across this post and are interested in the subject then we are delighted that you did!

It is an absolute honor to have such a talented security professional as Sherif Koussa on Hacker Hotshots, not least because of his breadth of experience but also because of his commercial expertise in being able to help organizations toughen their security; specifically with reference to their security applications. Sherif is the Principal Security Consultant and also the Founder of Software Secured, with his time being devoted to consult organizations assessing their high-risk software applications using a source-code driven security methodology.

Of interest, you might like to know that Sherif authored the courseware for SANS VoIP Security course, so if you are interested in VoIP hacking, defense and security then maybe you can ask a question during the event! Funnily enough, we actually have a 15 demo titled: “Learn How To Crack SIP Authentication & Listen To VOIP Calls In 15-Minutes!” with Eric Deshetler on July 31st at 12.45pm. Head on over to the page for more info on the demo and mini-course but if you want a quick summary: Eric has worked for the NSA, the US Military and NASA and is going to give us a demo on how to crack VoIP using Wireshark.

Security Code Reviews – a summary
If you are interested in the subject then get involved in our Hacker Hotshot web show with Sherif – and, we’d also recommend you hit this OWASP page. If you want to stick to this post then there is a brief summary of what a Security Code Review is, and how it works.

Central to understanding Security Code reviews is the System Development Life Cycle (often abbreviated to SDLC). As you would image, Security code reviews and the associated SDLC vary in formality and processes but essentially there all serve the same purpose, i.e. to find vulnerabilities and holes in the code. Karl Wiegers, a noted expert on the subject, compiled a lists of seven security code review processes from the least important to the most important:

  • Ad hoc review
  • Passaround
  • Pair programming
  • Walkthrough
  • Team review
  • Inspection
Related Post: You might find our blog post last year titled: “Employ hackers with autism and asperger syndrome” interesting when it comes to code reviews. The reason we say that is because autistic folk have shown an amazing ability to detect patterns and problems in code.
Related InfoSec Course: Our web application course and training package might be of interest to you, especially if you have secure code review responsibilities in your employment.

Also, if you are interested in the subject take a look at Bug Bounties – here’s a list of the available Bug Bounty programs. They are exactly what you think they are, i.e. you are (generally) paid to discover vulnerabilities and weaknesses in code and/ or to test programs.

What are your thoughts? Have you ever participated in a Bug Bounty programs or in any form of security code reviewing (SDLC)? We’d love to hear from you!

Leave a comment or reply below...thanks!