Secure Code Review aims to identify a software application’s source code to identify and rectify potential security vulnerabilities. This proactive process aims to ensure that the codebase adheres to established security best practices, minimizing the risk of exploitation by malicious actors.
This case study details a secure code review process of a Web Application.
Review Methodology
Commenced the secure code review by analyzing the source code of the client’s web application.
- Preparation:
- Clearly defined the scope of the code review
- Established a secure code review checklist based on OWASP Top 10 and industry best practices.
- Automation:
- Used automated tools to assess the code for potential issues, vulnerabilities, and adherence to coding standards.
- Reviewers analysed the tool findings and prioritized potential issues based on severity and exploitability.
- Manual Analysis
- Manual validation of significant issues is conducted in line-by-line inspection of the application code, focusing on areas identified by static analysis.
- Reporting and Remediation
- Findings written up into a formal report the detailed issues with suggested remediation actions.
- The development team addressed the findings by implementing secure coding practices and fixing identified vulnerabilities.
- Reviewers verified the implementation of fixes through code review and retesting.
Challenges Faced
- large and complex codebase
- Integration with Multiple Technologies
- Third-Party Software Solutions
Additionally, communicating the importance of certain security measures to the development team required a delicate balance.
Strategy Used
We leveraged automated scanning tools alongside manual code reviews to ensure a comprehensive assessment.
- Used code navigation tools to assist in navigating the large codebase efficiently.
- Ensure that reviewers have expertise in the relevant technologies.
- Use automated tools to enforce coding standards where possible.
Findings and Outcomes
- Identified and remediated several security vulnerabilities including Filtering Sensitive Logs, Unsafe Use Of Target blank, Prototype Pollution.
- Our proactive approach ensured that potential threats were mitigated before they could be exploited.
Example of a Prototype Pollution
Prototype pollution is an injection attack that targets JavaScript runtimes. With prototype pollution, an attacker might control the default values of an object’s properties. This allows the attacker to tamper with the logic of the application and can also lead to denial of service or, in extreme cases, remote code execution.
Let’s explore how Prototype Pollution can be identified in a real-time scenario. Assigning external properties without validation may allow object properties pollution and affect application’s normal behavior. Using Map for these properties can help mitigate such risks.
Consider the following code snippet where unsafe object assignment can occur:
const initialValues = {} as { [key in number]: { [key in string]: string | number | boolean } };
To avoid prototype pollution and ensure that only valid keys are added to initialValues, use a Map instead of an object. Initializing properties with the Map class ensures they are instances of the Map class, reducing the risk of accidental or malicious manipulation of prototypes.
const initialValues = new Map<number, { [key in string]: string | number | boolean }>();
Other mitigation strategies for prototype pollution are
- Validate object properties prior assignment.
- Use of JSON schema validators are recommended.
Secure Code Practice Reference:
Â
Conclusion
In conclusion, the secure code review significantly enhanced the security posture of the client’s application. The collaborative effort between our team and the client’s developers ensured a thorough understanding of security best practices ensured improved code quality and maintainability.
