PW.7: Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human-readable.

PW.7.1

Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.

Implementation Examples

• Example 1: Follow the organization's policies or guidelines for when code review should be performed and how it should be conducted. This may include third-party code and reusable code modules written in-house.\nExample 2: Follow the organization's policies or guidelines for when code analysis should be performed and how it should be conducted.\nExample 3: Choose code review and/or analysis methods based on the stage of the software.

References

• BSIMM: CR1.5
• IEC62443: SM-5, SI-1, SVV-1
• NISTLABEL: 2.2.2.2
• SCSIC: Peer Reviews and Security Testing
• SP80053: CA-02, CM-09, RA-05, SA-11
• SP800181: SP-DEV-002; K0013, K0039, K0070, K0153, K0165; S0174

PW.7.2

Perform the code review and/or code analysis based on the organization's secure coding standards, and record and triage all discovered issues and recommended remediations in the development team's workflow or issue tracking system.

Implementation Examples

• Example 1: Perform peer review of code, and review any existing code review, analysis, or testing results as part of the peer review.\nExample 2: Use expert reviewers to check code for backdoors and other malicious content.\nExample 3: Use peer reviewing tools that facilitate the peer review process, and document all discussions and other feedback.\nExample 4: Use a static analysis tool to automatically check code for vulnerabilities and compliance with the organization's secure coding standards with a human reviewing the issues reported by the tool and remediating them as necessary.\nExample 5: Use review checklists to verify that the code complies with the requirements.\nExample 6: Use automated tools to identify and remediate documented and verified unsafe software practices on a continuous basis as human-readable code is checked into the code repository.\nExample 7: Identify and document the root causes of discovered issues.\nExample 8: Document lessons learned from code review and analysis in a wiki that developers can access and search.

References

• BSAFSS: TV.2, PD.1-4
• BSIMM: CR1.2, CR1.4, CR1.6, CR2.6, CR2.7, CR3.4, CR3.5
• IDASoar: 3, 4, 5, 14, 15, 48
• IEC62443: SI-1, SVV-1, SVV-2
• IR8397: 2.3, 2.4
• ISO27034: 7.3.6
• MSSDL: 9, 10
• NISTLABEL: 2.2.2.2
• OWASPASVS: 1.1.7, 10
• OWASPMASVS: 7.5
• OWASPSAMM: IR1-B, IR2-A, IR2-B, IR3-A
• PCISSLC: 3.2, 4.1
• SCAGILE: Operational Security Tasks 4, 7; Tasks Requiring the Help of Security Experts 10
• SCFPSSD: Use Code Analysis Tools to Find Security Issues Early, Use Static Analysis Security Testing Tools, Perform Manual Verification of Security Features/Mitigations
• SCSIC: Peer Reviews and Security Testing
• SP80053: CA-02, CM-09, RA-05, SA-11, SA-11(01), SA-11(04), SA-15, SA-15(07), SI-02
• SP800161: CA-02
• SP800181: SP-DEV-001, SP-DEV-002; T0013, T0111, T0176, T0267, T0516; K0009, K0039, K0070, K0140, K0624; S0019, S0060, S0078, S0137, S0149, S0167, S0174, S0242, S0266; A0007, A0015, A0036, A0044, A0047