How to do Code Review: Find Vulnerabilities in Software

Dive into this handpicked collection of code review resources from my free weekly Hive Five newsletter. Curated to up your grasp on code review and broaden your security skillset.

Whether you're kicking off your journey or a seasoned pro keeping tabs on the freshest techniques, these materials cover a wide range.

Find hands-on exercises, informative reads, insights from industry experts, and engaging video content.

Consider this compilation your all-encompassing guide to boost your code review expertise.

As always, let me know what's missing. Take them by swarm!

Practice

• Complete PentesterLab's code review badge. As of today, it has 81 Videos and 107 Exercises, covering Golang, PHP, Ruby, JavaScript/TypeScript Java, and Python. PENTESTERLAB | Farah's challenge

• OpenSecurityTraining2 Vulnerabilities 1001: C-Family Software Implementation Vulnerabilities. OST2

Read

• Read all the analysis from the team at Rapid7 over on AttackerKB. ATTACKERKB

• A guide by Louis on How to start reviewing code. PENTESTERLAB

• Finding command execution sinks in decompiled JVM languages. DEESEE

• A paper describing cool new tricks for crafting targeted vulnerabilities that are invisible to human code reviewers. LIGHTBLUETOUCHPAPER

• OWASP Source Review Guide 2.0. OWASP

• The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. AMAZON

• Semgrep: Writing quick rules to verify ideas. DEESEE

• RCE in GitLab's CLI tool. Gitlab performed a code review on their CLI tool to look for improper usage of exec.Command. TAKEMYHAND

• Chasing a Dream: Pre-authenticated Remote Code Execution in Dedecms. SRCINCITE

Tips

• Shubs on doing offensive security source code review more effectively. TWITTER

• Mustafa shares a WordPress plugin code review tip: "Always check the usage of esc_like and whereRaw for the SQL queries." TWITTER

• Shubs shares his observations on iterations in app sec: "I’m surrounded by people specifically in the source code review and bug bounty space that are innovating, learning and adapting constantly [...]" TWITTER

Watch

• How to do Code Review: The Offensive Security Way talk by Shubs. YOUTUBE

• Application Security How-To: Ken’s Secure-Code Review of an application codebase. YOUTUBE

• How to Analyze Code for Vulnerabilities. Vickie goes through the basics of reviewing your code for vulnerabilities and some tactics for performing an effective security code review on your application. YOUTUBE

• An 8-part series on Improving your Secure Code Review by wireghoul. YOUTUBE

• An interview with Shubham Shah, one of the hackers people look up to in the bug bounty space, and an expert in source code review who regularly finds 0days. more

• How to conduct a basic security code review by Security Simplified. YOUTUBE

• Finding IDORs with code reviews by Farah (short). YOUTUBE

• NahamCon2022 talk by Shubs: Finding 0days in Enterprise Web Applications. YOUTUBE

• "Source code security audit speed run" by Eldar Marcussen. YOUTUBE

Resources

• SonarSource static code analysis. 5000+ Static Analysis Rules across 30+ programming languages. SONARSOURCE

• A collection of 0xdea's Semgrep rules to facilitate vulnerability research. GITHUB

• Code review checklist that helps you be a more effective and efficient code reviewer. GITHUB

• Raudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. GITHUB