Beating the code review plateaux
In every field, people eventually hit plateaux in their progression. Security code review is no different. In this article, we explore common reasons for these plateaux and how to overcome them!
1. You only use grep
A common reason for hitting a plateau is relying solely on “grep” to find bugs, hoping for quick wins. While “grepping for a bug” is a valid strategy, it’s not the best way to learn and improve your skills. This approach can also be very frustrating. Try to use grep less and spend more time actually reading the code. Remember, in security code review, you get out what you put in. Low effort leads to low reward!
2. You only search for vulnerabilities
Limiting yourself to searching for security issues can hinder your progression. You need to spend time and explore the codebase to understand its architecture and the developers’ style and common patterns. This broader understanding helps you find vulnerabilities that others might have missed. Simply searching for known vulnerabilities will only yield expected results. Reading and understanding the code can reveal the unknown unknowns.
3. You don’t go deep
Another plateau arises when you don’t spend enough time on the same code. Finding vulnerabilities requires discovering issues that developers and perhaps other security researchers overlooked. This requires deep focus on reading and re-reading the same sections of code. Browsing won’t cut it; you need to dive deep and get obsessed with specific lines of code to uncover hidden issues.
4. You don’t use deliberate practice
Deliberate practice, a focused and purposeful way of practicing to improve your skills, is key in any discipline, including security code review. But what does deliberate practice look like in this context? Here are a few activities:
- Study CVEs: Analyze patches to understand what was changed, what the vulnerable code looked like, and how issues were fixed.
- Read documentation: Gain a deeper understanding of the languages and frameworks you use to spot potential unexpected behaviours and pitfalls.
- Fuzz code snippets: Explore small pieces of code to find possible unexpected behaviours.
5. You don’t do it enough
Consistent practice is crucial in security code review. To get better at uncovering vulnerabilities, you need regular practice not only to hone your skills but also to build your resilience. Enduring through periods when no bugs are found is key; your persistence during these dry spells often makes the difference. By continuing to search when others might give up, you increase your chances of finding more vulnerabilities.
We hope this post gives you useful strategies to overcome the plateaux in your security code review journey. To further enhance your skills, makre sure you check out PentesterLab’s Code Review and Java Code Review badges!
