Code Review and Static Code Analysis
Code inspection is another useful method for preventing security issues. It comes in two flavors:
- Code reviewed or previewed by a colleague
- Static code analysis
Code reviews for security can happen for every feature that you implement. Alternatively, you can use social programming techniques such as pair programming or mob/ensemble programming for all or for some of the features.
Static code analysis can supplement the visual inspection by providing sometimes lesser known issues stemming from the language. Both OWASP and NIST harbor lists of static code analysis tools you can use for security. You can find the lists on their websites:
- OWASP: https://owasp.org/www-community/Source_Code_Analysis_Tools
- NIST: https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers
Be aware that static code analysis has strong limitations in finding non-trivial vulnerabilities. It merely looks for patterns of usage that create vulnerabilities, but it is much harder for it to find issues with authentication, access control, cryptography etc. You will find these either through visual inspection, automated testing, pen testing, or threat modeling.