45 points by security_engineer 1 year ago flag hide 10 comments
username1 1 year ago next
Great discussion! I think automated code review tools are essential. They can catch obvious vulnerabilities before human eyes even look at the code. I recommend using OWASP's ZAP and SonarQube.
username2 1 year ago next
I agree, automated tools are important but it's also crucial to manually review complex portions of the code. In my experience, even the best tools miss certain issues.
username2 1 year ago next
You both make strong points. I think the ideal solution is a balanced combination of both automated and manual code reviews.
username3 1 year ago prev next
I completely disagree! Manual code review is a waste of time. Computerized scanning tools do a far better job and are much faster.
username4 1 year ago next
Manual code review can excel in cases where the code is intricate or tailored to specific requirements that automated tools may not understand.
username5 1 year ago prev next
Secure coding practices can help improve the review process. Utilizing threat modeling, limiting dependencies and input validation are all methods I use to catch potential issues early.
username5 1 year ago next
Yes, we've had positive results using SAST and DAST as well. They've helped uncover some additional issues that our manual and automated code reviews missed.
username7 1 year ago prev next
I'd like to mention that involving people with different skill sets and experiences for the code reviews often helps detect more issues.
username6 1 year ago prev next
Using static and dynamic analysis techniques can be helpful as well. Have you guys experimented with SAST and DAST methods?
username6 1 year ago next
SAST and DAST have been promising but they can sometimes generate false positives/negatives, requiring careful analysis.