Pushing Left, Like a Boss -Part 7: Code Review and Static Code Analysis/Static App Sec Testing (SAST)
This article is about secure code review, often paired with tools that perform Static Application Security Testing (SAST). This article is part of a series, and the previous article was Part 6: Threat Modelling.
Note: Some people refer to SCA (Static Composition Analysis) as also being in this category, in which case they are referring to verifying that your dependencies are not known to be vulnerable. In this article I mean reviewing the code you wrote for vulnerabilities, with a tool and/or manually. We are not going to cover SCA here, but you should still do it!
When application security folks say ‘static’ analysis, we mean that we will look at written code , as opposed to ‘dynamic’, which means when your code is running on a web server.
I wasn’t sure if I was going to cover this topic, even though I know code review is very important. I personally find code review very difficult; my attention span is short and I can be impatient at times (such as when I am awake). Code review demands both patience and intense concentration. That said, it’s a highly valuable activity which can find a lot of security problems, far before you get to the testing or release stages, potentially saving both time and money.
There are two options for doing code review; manual or with a tool. There are pros and cons to each.
