Secure code review is one of the best ways to uncover vulnerabilities and reduce risk of online web applications being breached. However, secure code review has always been challenged as being skill and tools intensive. But what if this could be simplified so developers on your team could perform it? What if this could be achieved with minimal impact on deadlines? This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review: a simplified process to follow, free tools to use and some of the pitfalls to avoid.
Sherif comes from a software development background where he designed, implemented and led software teams for 9 years. His journey with application security started back in 2006 where he kicked off the OWASP Chapter in Ottawa, followed by leading a major release for WebGoat v5.0 by adding over 12 new lessons. In addition, Sherif helped SANS\GIAC kick off the GSSP-NET and GSSP-JAVA exams. He is also leading the Static Code Analysis Evaluation Criteria (SATEC) project by WASC. Sherif works now as Principal Application Security at Software Secured where he performs source code driven security assessments for major financial institutions, healthcare organizations and startups.