Security Code Review Resources

My personal collection of resources (mostly tools and training materials) for source code security audits. Updated gradually as I discover interesting material on the subject.

• Training Materials
  • Learning Resources
  • Learning Platforms
  • Vulnerable Apps
• Tools
  • Static Application Security Testing (SAST) Tools
  • Grep-based Tools
  • Frameworks
• Lists
  • Vulnerability Checklists
  • Interesting Keywords & Regex

Training Materials

Learning Resources

• [Blog Post] Secure Code Review (MITRE's System Engineering Guide) : good introduction with definitions.
• [Conference] OWASP Appsec Day - The Absolute AppSec Secure Code Review Framework : strong focus on methodology.
• [Conference] Source code security audit speed run by Eldar Marcussen : methodology and tooling.
• [Guide] OWASP Code Review Guide (currently v2) : (almost) exhaustive guide on secure code review.

Learning Platforms

• OWASP's Secure Coding Dojo Example
• Secure Code Warrior (paid service with free trial)

Vulnerable Apps

• Vulnerable Task Manager (vtm) : vulnerable task manager in Python/Django, correction not available.
• OWASP WebGoat : vulnerable web application with Java backend, correction available.
• Damn Vulnerable iOS App 1 : vulnerable iOS app written in Objective-C, correction available.
• Damn Vulnerable iOS App 2 : vulnerable iOS app written in Swift, correction available.

Tools

Static Application Security Testing (SAST) Tools

• OWASP's Source Code Analysis Tools
• A curated list of static analysis tools and tools and config files (GitHub)
• Static Application Security Testing Suites used in GitLab's CI/CD
• grepmarx - A source code static analysis platform for AppSec enthusiasts
• Joern - Generate queriable code property graphs
• Sourcetrail - open-source interactive source explorer

Grep-based Tools

• megagrep : find interesting parts of the code to manually check based on keywords. Comes with additional features such as per-file statistics or dev comments search.
• graudit : find very specific vulnerabilities based on regular expressions, a lot of false negatives but can be extended with your own regexs.
• crass : source code grep-er with a set of selected high-potential strings that may result in (security) problems.
• drek : source code grep-er with nice HTML and PDF reports.
• DumpsterDiver : search secrets based on entropy.
• Code-Crawler : automatic tool used for crawling code to find low-hanging fruits.

Frameworks

• MobSF : all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Lists

Vulnerability Checklists

• Michaela Greiler's checklist
• Aggregated checklist from various sources
• OWASP's Code Review Checklist
• My own custom list based on the above resources

Interesting Keywords & Regex

• OWASP's Code Review Keywords List
• Collection of Regex in various languages
• My own Keywords List