If you are looking to start your career doing a code security review, maybe my notes will be helpful for you.
This notes are taking from the best code review resource ever in my opinion “The Art of Software Security Assessment – Identifying and Preventing Software Vulnerabilities” this book is a very good reference for anyone who is interested in doing a security code review.
Classifying Vulnerabilities
- Design Vulnerabilities (SDLC 1 ,2, 3)
- Implementation Vulnerabilities (SDLC 4, 5)
- Operational Vulnerabilities (SDLC 6)
Design Vulnerability
That is the problem that arises from a fundamental mistake. you must know that the main motive for the design error will be the software requirements.
Requirement example:
– The application must support to retrieve data from the server
– The software must support 1000 download/hr simultaneously.
For example: TELNET protocol is designed to allow users to connect a remote machine and access that machine as through it’s connected to a local terminal.
TELNET arguably has a vulnerability in that it relies on unencrypted communication.