In every field, people eventually hit plateaux in their progression. Security code review is no different. In this article, we explore common reasons for these plateaux and how to overcome them!
A common reason for hitting a plateau is relying solely on “grep” to find bugs, hoping for quick wins. While “grepping for a bug” is a valid strategy, it’s not the best way to learn and improve your skills. This approach can also be very frustrating. Try to use grep less and spend more time actually reading the code. Remember, in security code review, you get out what you put in. Low effort leads to low reward!
Limiting yourself to searching for security issues can hinder your progression. You need to spend time and explore the codebase to understand its architecture and the developers’ style and common patterns. This broader understanding helps you find vulnerabilities that others might have missed. Simply searching for known vulnerabilities will only yield expected results. Reading and understanding the code can reveal the unknown unknowns.
Another plateau arises when you don’t spend enough time on the same code. Finding vulnerabilities requires discovering issues that developers and perhaps other security researchers overlooked. This requires deep focus on reading and re-reading the same sections of code. Browsing won’t cut it; you need to dive deep and get obsessed with specific lines of code to uncover hidden issues.
Consistent practice is crucial in security code review. To get better at uncovering vulnerabilities, you need regular practice not only to hone your skills but also to build your resilience. Enduring through periods when no bugs are found is key; your persistence during these dry spells often makes the difference. By continuing to search when others might give up, you increase your chances of finding more vulnerabilities.
We hope this post gives you useful strategies to overcome the plateaux in your security code review journey. To further enhance your skills, make sure you check out PentesterLab’s Code Review and Java Code Review badges!