172 Core Software Security
using automated tools is the possible sense of security in believing there
are no security issues in your software if no security issues are identified
as a result of the scan. A significantly sized and complex software product
should never be assumed to be free of security vulnerabilities. All possible
steps should be taken to limit the number of coding errors and reduce
their practical impact, but something is always missed. Automated secu-
rity tools are able to identify more and more coding errors, but some vul-
nerabilities will still be missed and either not detected or hidden among
large numbers of false positives. Manual source code analysis is not a
replacement for these tools, but it helps maximize the identification of
vulnerabilities when integrated with them. As mentioned throughout this
book, it requires a holistic approach to security, including a human ele-
ment, to ensure that both false positives are false and that the code is really
free of security vulnerabilities in spite of being given what appears to be a
clean bill of health by the automated tools. Using both methods together
enables reviewers to identify more software security vulnerabilities both
efficiently and cost-effectively. For these reasons, automated review com-
bined with a manual review is the best approach.
To catch the simpler issues, available security tools should be run
against the code before manual review begins. To avoid finding already-
known issues, all previously identified security vulnerabilities should be
fixed. A manual scan is then conducted to gain a better understanding
of the code and to recognize patterns; the results of the scan will iden-
tify areas that merit further analysis as the reviewers analyze the code for
security issues in Step 3 below. This effort, however, should be a small
percentage of the total code review time and should focus on answering
the following questions:
• Input data validation: Does the application have an input validation
architecture? Is validation performed on the client, on the server, or
both? Is there a centralized validation mechanism, or are validation
routines spread throughout the code base?
• Code that authenticates and authorizes users: Does the application
authenticate users? What roles are allowed, and how do they inter-
act? Is there custom authentication or authorization code?
• Error-handling code: Is there a consistent error-handling architecture?
Does the application catch and throw structured exceptions? Are
there areas of the code with especially dense or sparse error handling?