Skip to content

Secure Code Review Study Plan

This page is updated based on jassics/security-study-plan/secure-code-review-study-plan

This study plan is designed to help you master Secure Code Review - methodologies, common vulnerabilities, tools, and best practices for finding security flaws in source code. Pair it with the site's Secure Code Review guide for the full methodology writeup.

ToC

  1. Code Review Fundamentals - 2 weeks
  2. Common Vulnerabilities in Code - 2 weeks
  3. Process and Checklists - 2 weeks
  4. Tools and Automation - 2 weeks
  5. Resources

Code Review Fundamentals

Duration: 2 weeks

Week 1-2: The Basics

  1. What is Secure Code Review?
    • Functional review vs. security review
    • Manual vs. automated review
  2. Code Review Strategies:
    • Top-down - start from high-level logic/entry points
    • Bottom-up - start from sensitive functions (sinks)
  3. Secure Coding Principles: input validation, output encoding, least privilege, defense in depth - see Secure Coding

Common Vulnerabilities in Code

Duration: 2 weeks

Week 3-4: Spotting Bugs

  1. OWASP Top 10 (Code Perspective):
    • Injection - SQLi, command injection (unparameterized queries, eval(), exec())
    • Broken Auth - hardcoded credentials, weak session management
    • XSS - lack of context-aware encoding
    • Insecure Deserialization - unsafe handling of serialized objects
  2. Language-Specific Issues:
    • Java - deserialization, XXE
    • Python - pickle, eval(), Jinja2 SSTI
    • JavaScript/Node.js - prototype pollution, eval()

Process and Checklists

Duration: 2 weeks

Week 5-6: Systematic Review

  1. OWASP Secure Code Review Guide - read it to understand the methodology
  2. Checklists: authentication & authorization, data validation, error handling & logging, cryptography (weak algorithms, hardcoded keys)
  3. Reviewing Business Logic: race conditions, order-of-operations flaws, price manipulation

Tools and Automation

Duration: 2 weeks

Week 7-8: SAST & IDE Plugins

  1. Static Application Security Testing (SAST):
    • SonarQube - setup and rule configuration
    • Semgrep - writing custom rules (highly recommended) - see the site's SAST guide
    • CodeQL - querying code as data
  2. IDE Plugins: Snyk, SonarLint
  3. Limitations of Tools: understanding false positives/negatives, and why manual review is still needed for logic bugs

Resources

Guides

Tools

Practice

Interview Questions

Secure code review questions are commonly bundled into Application Security interview questions.

Practice next: Application Security interview questions, and jassics/security-study-plan for the latest updates to this plan.