I think the hardest part for pentesters transitioning into security code review is going back to the low level of confidence they had when starting as blackbox testers and starting all over again. A big part of becoming a good blackbox tester is learning to be uncomfortable until you finally become comfortable: you're more knowledgeable and you know you can figure it out with a high degree of confidence. Security code review is exactly the same.
Here's the honest truth about this transition:
Commit to spending substantial time on one codebase. Don’t switch targets every few hours just because you haven’t found a zero-day vulnerability. A chaotic approach won't help you grow as a code reviewer.
Selecting the right codebases is crucial. You don't want something too hard or something too simple. You need to be able to grow. For guidance on this, check out our other blog post on How to start reviewing code?.
Stop measuring your success by the number of vulnerabilities you discover. Instead, look at your improvement in understanding code, navigating codebases, and deciphering complex code structures. These metrics are far more indicative of your progress as a reviewer.
You have probably come across a few blog posts or talks at security conferences and you think that what you read or saw is how code review happens. When you read or watch those, you only see the happy path: a shortcut that explains the issue. These rarely highlight the struggle, the real path the reviewer took to find a bug, or the thousands of detours they took along the way. They also don’t talk about the hundred times the reviewer wanted to give up.
Even if you feel like you're not making significant progress, remember that all the time spent will at least help you become a better pentester. It's never wasted effort.
So, take a deep breath, embrace the suck, and dive into the world of code review with a positive mindset. You'll find that with time, persistence, and perseverance, you'll get there!