Secure Code Review Study Plan
This page is updated based on jassics/security-study-plan/secure-code-review-study-plan
This study plan is designed to help you master Secure Code Review - methodologies, common vulnerabilities, tools, and best practices for finding security flaws in source code. Pair it with the site's Secure Code Review guide for the full methodology writeup.
ToC
- Code Review Fundamentals - 2 weeks
- Common Vulnerabilities in Code - 2 weeks
- Process and Checklists - 2 weeks
- Tools and Automation - 2 weeks
- Resources
Code Review Fundamentals
Duration: 2 weeks
Week 1-2: The Basics
- What is Secure Code Review?
- Functional review vs. security review
- Manual vs. automated review
- Code Review Strategies:
- Top-down - start from high-level logic/entry points
- Bottom-up - start from sensitive functions (sinks)
- Secure Coding Principles: input validation, output encoding, least privilege, defense in depth - see Secure Coding
Common Vulnerabilities in Code
Duration: 2 weeks
Week 3-4: Spotting Bugs
- OWASP Top 10 (Code Perspective):
- Injection - SQLi, command injection (unparameterized queries,
eval(),exec()) - Broken Auth - hardcoded credentials, weak session management
- XSS - lack of context-aware encoding
- Insecure Deserialization - unsafe handling of serialized objects
- Injection - SQLi, command injection (unparameterized queries,
- Language-Specific Issues:
- Java - deserialization, XXE
- Python -
pickle,eval(), Jinja2 SSTI - JavaScript/Node.js - prototype pollution,
eval()
Process and Checklists
Duration: 2 weeks
Week 5-6: Systematic Review
- OWASP Secure Code Review Guide - read it to understand the methodology
- Checklists: authentication & authorization, data validation, error handling & logging, cryptography (weak algorithms, hardcoded keys)
- Reviewing Business Logic: race conditions, order-of-operations flaws, price manipulation
Tools and Automation
Duration: 2 weeks
Week 7-8: SAST & IDE Plugins
- Static Application Security Testing (SAST):
- SonarQube - setup and rule configuration
- Semgrep - writing custom rules (highly recommended) - see the site's SAST guide
- CodeQL - querying code as data
- IDE Plugins: Snyk, SonarLint
- Limitations of Tools: understanding false positives/negatives, and why manual review is still needed for logic bugs
Resources
Guides
Tools
Practice
- Secure Code Warrior (free trial/community)
- SonarQube Rules Explorer - learn by seeing bad vs. good code side by side
Interview Questions
Secure code review questions are commonly bundled into Application Security interview questions.
Practice next: Application Security interview questions, and jassics/security-study-plan for the latest updates to this plan.