Code reviews are hard to do well. Particularly when you’re not entirely sure about the errors you should be looking for! The DevSecOps approach pushes security testing left so that vulnerabilities can be found and fixed earlier, in the design, development, or CI/CD stages of the workflow. It’s always a good idea to check for security issues in code that you review. In case you don’t know what to look for, check out this series to give you pointers for your next code reviews!
After you have written your code who is actually reviewing it. Do you ask the new Junior in your team because that person has is available? The goal of a review, in general, is to help spot any mistakes made during the development process. And in this case, prevent security issues.
Be aware, when reviewing code to understand that all code isn’t written equal! Think also about what lies behind the code that you’re reviewing and thus the data and assets you are trying to protect. This working knowledge is something that isn’t easy to add to a checklist. Using your domain knowledge will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks.
In addition, when appointing a reviewer make sure that this person has the appropriate knowledge to review the code. When code that has a higher security risk needs to be reviewed, ensure that someone with security knowledge (also) looked at it. Appointing this task to the new junior in your team alone does not by default make your code more secure.
A great way of determining where the highest risk areas exist is by creating attack trees that will show you where to focus your efforts first/most.
Creating the code takes a certain amount of time. The same should apply for a thorough review. However, in many cases, the time for reviewing code is just a very small percentage compared to the creation. Understanding code someone else wrote and trying to spot security issues is hard and is definitely time-consuming. Rushing through this does not help to spot potential security issues.
Check the complete Secure code review cheat sheet