July 2018
Intermediate to advanced
356 pages
9h 18m
English
Content preview from Hands-On Security in DevOps
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Target code review
In addition, we can also target and focus on specific security issues by identifying the relevant code patterns. This is also a kind of Static Application Security Testing (SAST), but is more focused on the specific issue. It's the most effective way to review specific kinds of security vulnerability. For example, when it comes to cryptography, the following Java APIs are considered insecure and should not be used:
MD5; RC4; SH1; DES; skipjack, SEAL, blowfish, random
OWASP Code Review Project and SEI CERT Coding Standards are good references. For other tips on the code review process, please also refer to Chapter 8, Secure Coding Best Practices.
- OWASP Code Review Project https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project ...