An application code review must be performed on the application.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003170

Associated with: CCI-003187

SV-84997r1_rule An application code review must be performed on the application.

Vulnerability discussion

A code review is a systematic evaluation of computer source code conducted for the purposes of identifying and remediating the security flaws in the software.This requirement is meant to apply to developers or organizations that are doing application development work and have the responsibility for maintaining the application source code.Examples of security flaws include but are not limited to:- format string exploits- memory leaks - buffer overflows - race conditions- sql injection- dead/unused/commented code- input validation exploitsThe code review is conducted during the application development phase, this allows discovered security issues to be corrected prior to release.Code reviews performed after the development phase must eventually go back to development for correction so conducting the code review during development is the logical and preferred action.Automated code review tools are to be used whenever reviewing application source code. These tools are often incorporated into Integrated Development Environments (IDE) so code reviews can be conducted during all stages of the development life cycle. Periodically reviewing code during the development phase makes transition to a production environment easier as flaws are continually identified and addressed during the development phase rather than en masse at the end of the development effort.Code review processes and the tools used to conduct the code review analysis will vary depending upon application architecture and the development languages utilized.In addition to automated testing, manual code reviews may also be used to validate or augment automated code review results. Larger projects will have a large code base and will require the use of automated code review tools in order to achieve complete code review coverage.A manual code review may consist of a peer review wherein other programmers on the team manually examine source code and automated code review results for known flaws that introduce security bugs into the application.As with any testing, there is no single best approach and the tests must be tailored to the application architecture. Use of automated tools along with manual review of code and testing results is considered a best practice when conducting code reviews. This method is the most likely way to ensure the maximum number of errors are caught and addressed prior to implementing the application in a production environment.

Check content

This requirement is meant to apply to developers or organizations that are doing the application development work and have the responsibility for maintaining the application source code. Otherwise, the requirement is not applicable. Review the system documentation and ask the application representative to describe the code review process or provide documentation outlining the organizations code review process. If code reviews are conducted with software tools, have the application representative provide the latest code review report for the application. Ensure the code review looks for all known security flaws including but not limited to: - format string exploits - memory leaks - buffer overflows - race conditions - sql injection - dead/unused/commented code - input validation exploits If the organization does not conduct code reviews on the application that attempt to identify all known and potential security issues, or if code review results are not available for review, this is a finding.

Fix text

Conduct and document code reviews on the application during development and identify and remediate all known and potential security vulnerabilities prior to releasing the application.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer