Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting Started with Code Reviews

Getting Started with Code Reviews

This talk, given at SB-Meetup Pune on 27 Nov 2022, discusses the approach to getting started with secure code reviews.

Prateek Thakare

November 27, 2022
Tweet

More Decks by Prateek Thakare

Other Decks in Technology

Transcript

  1. Getting Started with Code Reviews BY PRATEEK THAKARE

  2. Bug Bounty Hunter Security Consultant at Payatu Learner Part Time

    Full Time Life long ABOUT ME
  3. Presentations are tools that can be used as lectures Presentations

    are tools that can be used as lectures Presentations are tools that can be used as lectures 01 - What, Why & How? 02 - Automated Code Review 03 - Manual Code Review AGENDA 04 - Understanding requests flow 05 - Routes 06 - Understanding Functions Presentations are tools that can be used as lectures 07 - Understanding Software Architecture Presentations are tools that can be used as lectures 08 - Examples
  4. Helps uncover hidden issues Gives a more in-depth understanding of

    things happening under the hood Reveals not only flaws due to insecure coding practices, but also logical flaws. WHY CODE REVIEWS? Helps uncover hidden issues Helps in creating more test cases
  5. Helps uncover hidden issues Code reviews should be part of

    development cycle to avoid any insecure coding practices to be deployed in production. WHAT ARE CODE REVIEWS? Code reviews are analysis of source code of an application to uncover vulnerabilities.
  6. Code Reviews HOW TO DO A CODE REVIEW? Manual Automation

  7. Involves use of tools like semgrep, checkmarx, sonarqube etc. Tools

    Use Dependabot GitHub dependabot provides you with alerts related to vulnerabilities in the dependencies you use. These tools can be integrated into the CI/CD (continuous integration and continuous development) pipeline to find bugs before deployment. AUTOMATION
  8. These tools are built upon some static rulesets that search

    for patterns or regular expressions and specific keywords within the codebase. Any idea how these tools detect vulnerabilities? RULESETS
  9. Helps uncover hidden issues You will miss logical issues. You

    might also miss bypasses for vulnerabilities which were found using scanners. As they work on rules, you can find only those vulnerabilities whose rules can be formulated. ANY DRAWBACKS?
  10. MANUAL CODE REVIEW Reviewing code manually unleashes more hidden issues

    than automation can ever find. Why? How? Manual code review is efficient with IDEs which makes your flow through code easy. Manual code review involves analyzing code line by line. Tools
  11. WHAT'S REQUIRED Programming fundamentals, Object Oriented Programming concepts (OOP), working

    of functions, use of variables, etc. Prerequisites Architecture The organizational level code base is very large, spread across different repositories. Large codebases are organized using software architectures like MVC, client-server, layered patterns, etc. Any roadblocks?
  12. Let us understand first how applications handle your requests. But

    from where should we start reviewing code when the codebase is huge? GETTING STARTED
  13. HOW REQUESTS ARE HANDLED? You visit an endpoint say /admin

    It hits the server you make connection with The application listening on the port handles your request. Response There is mapper written in application where this request falls. This request is passed on to the appropriate function or logic by this mapper The logic processes the request and the gives back the response to you
  14. Helps uncover hidden issues Routes map the URL path with

    the functions which have the logic necessary for processing. In every application you can find a similar type of file which serve as request routers. ROUTES Those mappers discussed are often referred to as ROUTES. To start reviewing code in large code bases best way to start is either reviewing it from routes or starting from main function.*
  15. Helps uncover hidden issues APPROACH Look for the routes file.

    Head towards the function associated with that route Analyse the function Validate the checks in the function for permissions and data sanitization Validate how the functions are handling failing conditions. Understand how data is processed and how is flows.
  16. Helps uncover hidden issues IN ACTION Let's have a walkthrough

    of a REST API code developed in Django
  17. Helps uncover hidden issues UNDERSTANDING FUNCTIONS Function Name: ArrayAddition In-Parameters:

    arr, size Out-Parameters: sum Local Parameters: i, sum What is function doing? The function is taking input as the address of array stored in pointer variable and its size. It is running a for loop over the array and storing the sum of the array in the sum variable which is returned as out parameter.
  18. Helps uncover hidden issues UNDERSTANDING ARCHITETURE Organisational codebase has to

    be structured in a specific way. Using right pattern can increase speed, productivity and speed. There are numerous patterns which are used across industries. Understaning the pattern used in the codebase helps us to locate right files and study data flow easily.
  19. Helps uncover hidden issues MVC ARCHITECTURE One such architecture is

    Model-View- Controller(MVC) The whole application is divided into three parts. Model contains the data and main functionality. View displays the data and interacts with the user. Controller acts as the handles user input and acts as mediator between view and model. Source: Wikipedia Further read: RedHat Blog
  20. AN EXAMPLE Source: Github CodeQL

  21. SIMPLE LOGICAL ISSUE

  22. RESOURCES The query help section has snippets with vulnerable code

    and its patch. CodeQL github Hackerrank To get started, pick up any damn vulnerable open-source software and do a code review of it. Hackerrank is a very nice platform to learn the basics of programming languages and problem solving. OSS Hackerone disclosed reports for programs like GitLab, Internet Bug Bounty, etc have many reports discussing the vulnerability from the perspective of code. Hackerone reports Semgrep Learn can help you get started with creating semgrep rules. Semgrep Learn
  23. CONNECT WITH ME @thakare_prateek Twitter LinkedIn /prateek-thakare

  24. Thank You!!