Secure Code Review: A Practical Guide to Finding Vulnerabilities in Source Code
What is Secure Code Review?
Secure code review is the process of auditing application source code to identify security vulnerabilities, logic flaws, and deviations from secure coding standards. Unlike dynamic testing, code review can identify vulnerabilities that are difficult to trigger at runtime — such as race conditions, insecure defaults, or dormant backdoors.
Manual vs Automated Review
Automated Static Application Security Testing (SAST) tools (Semgrep, CodeQL, SonarQube, Checkmarx) can quickly scan large codebases for known patterns. However, they produce false positives and completely miss business logic flaws. Manual review by a skilled security engineer remains irreplaceable for identifying high-severity vulnerabilities.
The most effective approach combines both: use SAST to triage common patterns at scale, then focus manual effort on authentication, authorisation, cryptography, and data flows.
Where to Focus First
Authentication and Session Management
Review password hashing (bcrypt/Argon2 with sufficient cost factor), session token generation (cryptographically random, sufficient entropy), session invalidation on logout, and token storage (httpOnly, Secure, SameSite cookies).
Authorisation Checks
Trace every data retrieval and modification operation back to an authorisation check. Ask: can user A access user Bs data by changing an ID? Are admin functions gated on role checks? Is authorisation enforced server-side — never client-side?
Input Validation and Output Encoding
Every piece of external data is untrusted — HTTP parameters, headers, cookies, file uploads, database values read back, third-party API responses. Review how each flows through the application. Is it validated on entry? Is it encoded correctly before being rendered in HTML, inserted into SQL, or passed to an OS command?
Cryptography
Look for: MD5 or SHA1 used for security purposes, ECB mode cipher usage, hardcoded keys or IVs, insufficient key lengths, custom cryptographic implementations, and predictable random number generation (Math.random() for security purposes).
Error Handling and Logging
Overly verbose error messages expose stack traces, internal paths, database schemas, and software versions. Review error handlers to ensure they return generic messages to clients while logging detail internally. Check that sensitive data (passwords, tokens, PII) is never logged.
Common Vulnerability Patterns to Grep For
When reviewing Node.js/TypeScript codebases, search for: eval(, exec(, innerHTML =, dangerouslySetInnerHTML, Math.random() in security contexts, string concatenation in SQL queries, JSON.parse without try/catch on external data, and process.env values used without validation.
Data Flow Analysis
The most thorough technique is taint analysis — tracking untrusted data from its entry point (source) through transformations to where it is used (sink). Sources include HTTP request parameters, headers, cookies, and file contents. Sinks include SQL queries, HTML rendering, OS commands, file paths, and redirects. Any path from source to sink without sanitisation is a potential vulnerability.
Business Logic Review
Automated tools cannot detect business logic flaws. These require understanding the application domain: Can a user purchase an item at a negative price? Can a user apply a discount code multiple times? Can a workflow step be skipped? Can a resource be accessed before it is fully initialised?
Review Checklist
- Are all SQL queries parameterised?
- Is HTML output encoded before rendering?
- Are file paths validated to prevent path traversal?
- Are redirects validated against an allowlist?
- Is sensitive data encrypted at rest?
- Are secrets stored in environment variables, not code?
- Is rate limiting applied to authentication endpoints?
- Are dependency versions pinned and scanned for CVEs?
Conclusion
Secure code review is a high-ROI security activity when performed consistently as part of the development lifecycle. Embedding security reviewers in pull request workflows, building security linting into CI/CD pipelines, and training developers in secure coding patterns creates a compounding security improvement over time.