Preface to the article
In the code audit part of the SDL security testing process, we usually use code audit tools to conduct security scans on the source code and review the scan results to screen out existing security issues and submit them to developers in the form of security orders for repair. The code The advantage of audit tools is that they can be quickly and fully audited, but there are also many false positives and omissions. Therefore, some companies will use manual audits to conduct secondary security audits of source code when they have time, but manual audits are also A common security problem is that it takes a long time and it is difficult to ensure complete coverage of the code
Audit ideas
The following takes the JAVA project code audit as an example to give its audit ideas:
code level
Auditors can search for insecure coding and use of unsafe functions in the project code to find common risks, such as: OWASP TOP 10 vulnerabilities
XXE
SQL injection
command execution
File Upload
file reading
JNID injection
Deserialization vulnerability
......
business level
Auditors can guess the business functions corresponding to this part of the code by consulting the project folder directory, file names, and comments about code functions in the file source code, and then look for common business function design flaws:
User login
User registration
recover password
Account recharge
modify personal information
......
component framework
Auditors can determine whether unsafe third-party open source components are used by checking the project pom file, and determine whether the project uses unsafe frameworks by checking instructions such as project documents:
Framework vulnerabilities
Third-party library vulnerabilities
......