Skip to content

Security Code Review SOP

Sub-procedure for Innovate pillar digital transformation

Overview

This sub-procedure defines the methodology for conducting security-focused code reviews. It covers manual code review techniques, automated scan result analysis, and vulnerability remediation guidance to ensure secure code is deployed to production.

Scope

Pillar: Innovate (Digital Transformation) Service Area: Secure SDLC Related Services: Penetration Testing, Application Security

Prerequisites

  • Access to source code repository (read access minimum)
  • Code review scope defined (application, modules, changes)
  • Development environment setup (ability to run code)
  • SAST scan results available (if applicable)
  • Architecture documentation available
  • Threat model available (if applicable)

Procedure

Step 1: Review Preparation

Objective: Establish review scope and context

  1. Scope Definition:
  2. Identify code to review (full app, module, PR)
  3. Determine review depth (quick, standard, deep)
  4. Set time budget based on code volume
  5. Identify high-risk areas (auth, data handling, crypto)
  6. Context Gathering:
  7. Review architecture documentation
  8. Understand data flows and trust boundaries
  9. Review threat model (if available)
  10. Identify applicable compliance requirements
  11. Environment Setup:
  12. Clone repository
  13. Set up development environment
  14. Configure IDE security plugins
  15. Prepare review checklist

Duration: 0.5-1 day Owner: Security Reviewer

Step 2: Automated Scan Analysis

Objective: Review and triage automated findings

  1. Retrieve Scan Results:
  2. SAST findings
  3. SCA dependency vulnerabilities
  4. Secrets scan results
  5. Linting/quality issues
  6. Triage Findings:
  7. Validate true positives
  8. Mark false positives (with rationale)
  9. Prioritize by severity and exploitability
  10. Group related findings
  11. Document Findings:
  12. Create finding entries with evidence
  13. Document remediation recommendations
  14. Note patterns for manual review focus

Duration: 0.5-2 days (varies by codebase size) Owner: Security Reviewer

Step 3: Manual Code Review

Objective: Identify vulnerabilities through manual analysis

Review code for OWASP Top 10 and common vulnerabilities:

  1. Injection Flaws (A03:2021):
  2. SQL injection
  3. Command injection
  4. LDAP injection
  5. XSS (reflected, stored, DOM)
  6. Look for: user input in queries, system calls, HTML output
  7. Broken Authentication (A07:2021):
  8. Password handling
  9. Session management
  10. MFA implementation
  11. Credential storage
  12. Sensitive Data Exposure (A02:2021):
  13. Encryption usage (at rest, in transit)
  14. PII/PHI handling
  15. Logging sensitive data
  16. Error messages exposing data
  17. Access Control (A01:2021):
  18. Authorization checks
  19. IDOR vulnerabilities
  20. Privilege escalation
  21. API access control
  22. Security Misconfiguration (A05:2021):
  23. Default credentials
  24. Debug mode enabled
  25. Verbose error handling
  26. Unnecessary features enabled
  27. Cryptographic Failures (A02:2021):
  28. Weak algorithms
  29. Hardcoded keys
  30. Improper key management
  31. Insufficient randomness
  32. Business Logic:
  33. Race conditions
  34. Workflow bypass
  35. Input validation
  36. Error handling

Duration: 1-5 days (varies by scope and complexity) Owner: Security Reviewer

Step 4: Findings Documentation

Objective: Document vulnerabilities with actionable guidance

For each finding, document:

  1. Finding Details:
  2. Title and severity (Critical/High/Medium/Low/Info)
  3. CWE identifier
  4. CVSS score (for CVE-related)
  5. File path and line numbers
  6. Code snippet showing vulnerability
  7. Description:
  8. What the vulnerability is
  9. Why it's a security risk
  10. Attack scenario/exploitation
  11. Evidence:
  12. Vulnerable code excerpt
  13. Proof of concept (if safe to demonstrate)
  14. Related findings
  15. Remediation:
  16. Recommended fix with code example
  17. Alternative solutions
  18. Testing guidance
  19. References:
  20. CWE, OWASP links
  21. Framework-specific guidance

Duration: Included in review time Owner: Security Reviewer

Step 5: Remediation Support

Objective: Assist developers in fixing vulnerabilities

  1. Findings Walkthrough:
  2. Present findings to development team
  3. Explain risks and impacts
  4. Answer technical questions
  5. Clarify remediation approaches
  6. Remediation Consultation:
  7. Review proposed fixes
  8. Provide guidance on best practices
  9. Help prioritize remediation
  10. Fix Verification:
  11. Review remediated code
  12. Verify fixes are complete
  13. Check for regression issues
  14. Update finding status

Duration: 0.5-2 days Owner: Security Reviewer / Developer

Step 6: Review Report

Objective: Deliver comprehensive review documentation

  1. Compile Report:
  2. Executive summary
  3. Scope and methodology
  4. Findings summary (by severity)
  5. Detailed findings
  6. Remediation status
  7. Recommendations
  8. Metrics:
  9. Total findings by severity
  10. Findings by category
  11. Code coverage reviewed
  12. Remediation rate
  13. Sign-off:
  14. Review complete confirmation
  15. Outstanding risks documented
  16. Recommendations for future reviews

Duration: 0.5-1 day Owner: Security Reviewer

Deliverables

Deliverable Format Owner
Review Checklist (completed) Excel/Markdown Security Reviewer
Finding Entries Jira/Issue tracker Security Reviewer
Code Review Report Word/PDF Security Reviewer
Remediation Guidance Confluence/Wiki Security Reviewer
Executive Summary PowerPoint/Email Engagement Lead

Quality Gates

  • Review scope documented and approved
  • Automated scan results analyzed
  • Manual review completed per checklist
  • All findings documented with evidence
  • Remediation guidance provided
  • Critical/High findings reviewed with development team
  • Report delivered to stakeholders
  • Remediation verification completed (if in scope)

Security Code Review Checklist

Authentication & Session Management

  • Strong password policies enforced
  • Secure password storage (bcrypt, Argon2)
  • Session tokens properly generated
  • Session timeout implemented
  • Secure cookie attributes (HttpOnly, Secure, SameSite)
  • MFA implementation reviewed

Authorization

  • Access control checks on all endpoints
  • IDOR protections in place
  • Role-based access control implemented
  • Privilege escalation protections

Input Validation

  • All user inputs validated
  • Allowlist validation preferred
  • Parameterized queries used
  • Output encoding applied
  • File upload restrictions

Cryptography

  • Strong algorithms used (AES-256, RSA-2048+)
  • No hardcoded keys/secrets
  • Proper key management
  • TLS 1.2+ enforced
  • Secure random number generation

Error Handling & Logging

  • Generic error messages to users
  • Detailed logging for security events
  • No sensitive data in logs
  • Exception handling implemented

Data Protection

  • PII/PHI properly protected
  • Data encrypted at rest
  • Secure data transmission
  • Data retention policies followed

Last Updated: February 2026