Skip to main content

Review Process and Feedback

Learn effective security review processes, checklists, and how to communicate security issues constructively during code review.

Effective security review is not just about finding issues - it's about communicating them in a way that helps developers learn and fix problems quickly.

Security Review Checklist

Use this checklist as a starting point for security reviews:

Input Validation 

[ ] All user input is validated before use
[ ] Validation uses allowlists where possible
[ ] Input length limits are enforced
[ ] Special characters are handled appropriately
[ ] Numeric inputs have range checks
[ ] File uploads validate type and size

Authentication 

[ ] Passwords are hashed with bcrypt/argon2/scrypt
[ ] Password requirements are enforced (length, complexity)
[ ] Rate limiting on login attempts
[ ] Session tokens are cryptographically random
[ ] Sessions are invalidated on logout
[ ] Session timeout is implemented
[ ] Password reset tokens expire quickly
[ ] MFA is available for sensitive operations

Authorization 

[ ] Authorization checked on every request
[ ] Authorization is server-side
[ ] Object-level authorization (user owns resource)
[ ] Function-level authorization (user has permission)
[ ] No direct object references without checks
[ ] Admin functions require admin role
[ ] API keys have appropriate scopes

Data Protection 

[ ] Sensitive data encrypted at rest
[ ] TLS 1.2+ for data in transit
[ ] No sensitive data in URLs
[ ] No sensitive data in logs
[ ] PII handled per privacy requirements
[ ] Secrets not hardcoded in source
[ ] Secrets not in version control

Error Handling 

[ ] Errors don't leak sensitive information
[ ] Stack traces not shown in production
[ ] Failed operations logged for monitoring
[ ] Failures default to secure state
[ ] Rate limiting on error-prone endpoints

Security Headers 

[ ] Content-Security-Policy configured
[ ] X-Content-Type-Options: nosniff
[ ] X-Frame-Options or frame-ancestors CSP
[ ] Strict-Transport-Security (HSTS)
[ ] Referrer-Policy configured
[ ] Permissions-Policy for sensitive APIs

Prioritizing Findings

Not all security issues are equal. Use this framework to prioritize:

Critical - Fix Before Merge

  • SQL/Command injection
  • Authentication bypass
  • Remote code execution
  • Exposed credentials/secrets
  • Missing authorization on sensitive endpoints

High - Fix Soon

  • XSS vulnerabilities
  • CSRF vulnerabilities
  • Weak cryptography
  • Session management issues
  • Insecure deserialization

Medium - Track and Plan

  • Missing security headers
  • Verbose error messages
  • Missing rate limiting
  • Weak password requirements
  • Missing input validation

Low - Improve Over Time

  • Missing audit logging
  • Code quality issues
  • Documentation gaps
  • Non-security best practices

Writing Effective Feedback

Good security feedback is specific, actionable, and educational.

Bad Feedback Examples 

"This is insecure."
-> Too vague, doesn't help the developer

"You need to fix this SQL injection."
-> Missing specifics about what and how

"This is a security vulnerability, please fix."
-> No context, no guidance

Good Feedback Examples 

"SQL Injection vulnerability on line 42.

The user input `request.args.get('id')` is concatenated directly
into the SQL query without sanitization.

Attack example:
  id = "1; DROP TABLE users; --"

Fix: Use parameterized queries:
  cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))

Reference: https://owasp.org/www-community/attacks/SQL_Injection"

"Missing authorization check in get_document() (line 87).

Currently any authenticated user can access any document by ID.
This allows horizontal privilege escalation - User A can access
User B's documents by guessing document IDs.

Suggested fix:
  doc = Document.query.filter_by(
      id=doc_id,
      owner_id=current_user.id
  ).first_or_404()

This ensures users can only access their own documents."

Feedback Template 

## [Severity] Issue Title

**Location:** file.py, line 42

**Problem:** Brief description of the vulnerability

**Impact:** What could an attacker do?

**Proof of Concept:** Example attack input or scenario

**Suggested Fix:** Code example or approach

**References:** Links to learn more

Handling Pushback

Developers may push back on security findings. Handle this constructively:

"It's just internal / behind a VPN"

Response: "Defense in depth means we protect against internal threats too. VPNs can be compromised, and employees can be malicious. Let's add the protection anyway - it's low effort and high value."

"We don't have time to fix this"

Response: "I understand the time pressure. Let's prioritize - the SQL injection is critical and must be fixed. The missing headers can wait for the next sprint. Can we create a ticket to track the lower-priority items?"

"Nobody would actually exploit this"

Response: "Attackers actively scan for these patterns. There are automated tools that find SQL injection, XSS, etc. Even if the risk seems low, the fix is usually simple. Let's not leave a known vulnerability."

"This is how we've always done it"

Response: "I understand it's existing code. Security standards evolve as new attacks emerge. Let's fix it going forward - we can add a ticket to remediate the existing instances."

Review Tools and Automation

Combine manual review with automated tools:

Pre-Review Automation

Run these before manual review to catch obvious issues:

# GitHub Actions example
- name: Run SAST
  uses: github/codeql-action/analyze@v2

- name: Check dependencies
  run: npm audit --audit-level=high

- name: Secrets scan
  uses: gitleaks/gitleaks-action@v2

During Review

Use IDE plugins and browser extensions:

  • SonarLint - Real-time SAST in your IDE
  • Snyk - Dependency vulnerability scanning
  • GitHub Security - Code scanning alerts in PRs

Post-Review

Track security debt:

# Security debt tracking example
| Issue | Severity | File | Created | Status |
|-------|----------|------|---------|--------|
| Missing rate limiting | Medium | auth.py | 2024-01-15 | Backlog |
| Verbose errors | Low | api.py | 2024-01-10 | In Progress |

Building a Security Review Culture

Make Security Everyone's Job

  • Include security in definition of done
  • Rotate security review responsibility
  • Celebrate security fixes, not just features
  • Share security knowledge in team meetings

Provide Training

  • Regular security awareness sessions
  • OWASP Top 10 walkthrough
  • Language-specific security training
  • Incident post-mortems (redacted if needed)

Measure and Improve

Track metrics to improve over time:

  • Time to fix security issues
  • Security issues found in review vs production
  • Coverage of security review (% of PRs reviewed)
  • Developer security training completion

Quick Reference Card

Print this for your desk:

SECURITY CODE REVIEW QUICK REFERENCE
====================================

ALWAYS CHECK:
- User input -> validation -> use
- Authentication on sensitive endpoints
- Authorization on every data access
- Parameterized queries for SQL
- Output encoding for HTML/JS
- Secrets not in code

RED FLAGS:
- String concatenation + SQL/commands
- eval(), exec(), pickle, yaml.load()
- innerHTML with user data
- shell=True with user input
- Missing authorization checks
- Hardcoded secrets/passwords

QUESTIONS TO ASK:
- What if this input is malicious?
- Who should be allowed to do this?
- What data could leak on error?
- Is this logged for security monitoring?
Updated: 1/24/2025

Tags

SecurityDevSecOpsCode ReviewSecure Development

Found an issue?

Related Guides

Cryptography Essentials

2025-01-24|34 min read

Dependency Scanning

2025-01-24|24 min read

CI/CD Pipeline Hardening

2025-01-24|20 min read