๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐๐ผ๐ฑ๐ฒ ๐ฅ๐ฒ๐๐ถ๐ฒ๐ ๐๐๐ถ๐ฑ๐ฒ
Security review is not a bug hunt. It is a search for vulnerabilities. Every engineer needs this skill.
Check your access controls:
- Require authentication for every endpoint.
- Verify user permissions.
- Prevent users from seeing other users' data.
Fix your input handling:
- Sanitize all user input.
- Avoid raw SQL queries.
- Prevent injection attacks.
Manage your files and secrets:
- Validate file types and sizes.
- Store uploads outside the web root.
- Remove hardcoded API keys.
- Use a secrets manager.
Clean up your errors and libraries:
- Hide stack traces from users.
- Scan new libraries for risks.
- Update dependencies often.
Improve your workflow:
- Put a security checklist in your PR template.
- Run SAST tools on every PR.
- Study the OWASP Top 10.
- Think like an attacker.
Your action plan:
- Week 1: Run a security audit.
- Month 1: Set up security headers.
- Quarter 1: Practice a breach scenario.
Source: https://dev.to/therizwansaleem/security-code-review-what-to-look-for-when-reviewing-pull-requests-4pe6 Optional learning community: https://t.me/GyaanSetuAi