Are you ready for another great chapter? I'm assuming that you like this book so far, and, if that's the case, I'm glad?. This chapter will teach you how to deal with the Source Code Review process. The source code is the heart or engine of the web application, and it must be properly constructed from a security perspective. Your role as an application security expert is to make sure that developers really respect the security patterns. After reading that, you're probably saying But Gus, I'm not good at programming. You will see my response to this later in this chapter, but for the time being, rest assured that I will do my best to help you progress in your career.

Static code analysis is another buzzword for source code review. But wait, I'm not done yet. There is another buzzword, static application security testing (SAST). This buzzword is used very frequently by application security professionals, especially when we deal with automatic scanners (also known as SAST scanners).

I will be talking about this topic in detail later in this chapter, so keep reading to avoid missing all the fun and educational materials.

At this stage, I'm assuming that you finished your Application Threat Modeling document, and understand how the web application work at a higher level. Make sure that you review the Threat Modeling document to understand the project architecture (entry points, assets, external dependencies, trust levels, and security threats). I talked about threat modeling in the previous chapter for a reason, and that's because I'm trying to show you the flow of logic that you will use in a typical internal project.

Here are the topics that I will be covering in this chapter:

• How to estimate your programming background
• Understanding enterprise secure coding guidelines
• Understanding the difference between a manual code review and an automated one
• Secure coding checklist