PENALGO

Giao diện

Conduct Code Security Review

1. Purpose

Human intuition. SAST tools catch syntax errors (SQLi). Humans catch logic errors ("Why can User A see User B's invoice?"). This workflow guides the reviewer to think like an attacker.

2. When to Use / When Not to Use

Use This Workflow When

  • Merging Sensitive features (Auth, Payments, PII).
  • Reviewing external contributions.
  • Periodic audit of "Hotspots" (Legacy code).

Do NOT Use This Workflow When

  • Reviewing CSS updates (Low risk).
  • You rely only on the tool. (Tools have false negatives).

3. Inputs

Required Inputs

  • [[PULL_REQUEST_URL]]: Link to diff.
  • [[THREAT_MODEL]]: "Attacker is an authenticated user trying to elevate privileges".
  • [[LANGUAGE]]: Python, Go, Java, TS.

4. Outputs

  • Findings: Critical/High/Medium/Low.
  • PoC: "I changed the ID in the URL and saw admin data".

5. Preconditions

  • Understand the business logic (What is this code supposed to do?).
  • Code compiles.

6. Procedure

Phase 1: Injection & Input

  1. Action: Check Data Entry Points (API, URL, Headers).
    • Expected Output: Ensure all inputs are Validated (Allow-list) and Sanitized.
    • Notes: Look for Raw SQL strings, innerHTML, exec().

Phase 2: AuthN & AuthZ

  1. Action: Check IDOR (Insecure Direct Object Reference).

    • Expected Output: GET /order/{id} checks if order.user_id == current_user.id.
    • Notes: Automation usually misses this.

  2. Action: Check Broken Access Control.

    • Expected Output: Admin endpoints require @admin_required decorator.

Phase 3: Secrets & Logging

  1. Action: Scan for Hardcoded Secrets.

    • Expected Output: Keys/Tokens not in code.

  2. Action: Check Logging.

    • Expected Output: No PII/Passwords logged. Logging sensitive actions (Audit Trail).

7. Quality Gates

  • [ ] Logic Verified: Reviewer walked through the "Happy Path" and "Evil Path".
  • [ ] Tests Added: Security regression test added for any found bugs.
  • [ ] Sanitization: Output encoding used (to prevent XSS).

8. Failure Handling

Complex Obfuscated Code

  • Symptoms: Reviewer cannot understand what the code does.
  • Recovery: Reject PR. "Security by Obscurity" is false. Complexity hides bugs. Rewrite for clarity.

Time Pressure

  • Symptoms: "Just merge it, we fix later."
  • Recovery: Hold the line on Criticals. Accept risks on Mediums with Ticket #.

9. Paste Prompt

TIP

One-Click Agent Invocation Copy the prompt below, replace placeholders, and paste into your agent.

text
Role: Act as a Security Reviewer.
Task: Execute the Secure Code Review workflow.

## Objective
Review [[PULL_REQUEST_URL]] for OWASP Top 10 vulnerabilities.

## Inputs
- **Language**: [[LANGUAGE]]

## Procedure
Execute the following phases:

1. **Input Validation**:
   - Trace all user inputs from Controller to Database/Render.
   - Fuzz mental models (What if I send -1? What if I send SQL?).

2. **Access Control**:
   - Verify every endpoint checks Permissions.
   - Verify ownership checks on resource access (Prevent IDOR).

3. **Crypto/Secrets**:
   - Verify standard Algos (AES/Bcrypt). No home-rolled crypto.
   - Check for keys in constants.

## Quality Gates
- [ ] Authorization checks present on all routes.
- [ ] Validations are server-side (Client-side doesn't count).
- [ ] No raw queries (ORM/Parameterized used).

## Constraints
- Output: Review Comments (Markdown).
- Standard: OWASP ASVS Level 2.

## Command
List potential security flaws in the provided snippet.

Cập nhật lần cuối:

Professional Engineering Standards | © 2025 HPN Corporation