There are two types of developers, those that treat untrusted input as malicious by default, and those that have never experienced an application compromise. PullRequest reviewer Matt Buzanowski aims to appeal to the latter camp in an effort to ensure that compromise never occurs.
Our Code Reviewer Spotlight is an ongoing series of interviews so you can get to know our top reviewers. Discover more about Matt’s desire to spread secure coding practices below.
1. What’s your background?
With over a decade of work experience in the cybersecurity field, I’m a passionate and skilled offensive security expert who strives to protect organizations from cyber threats. I have extensive experience in conducting offensive security engagements that target a wide range of technologies and have an immense passion for application security which I have leveraged to help organizations protect their most sensitive applications.
2. Why is code quality important?
In todays IT ecosystem, code is king. A developer’s code quality will determine whether an organization can function or not.
3. Why is a good code review process important?
A secure code review provides assessment coverage of an application that a blackbox penetration test cannot. A skilled code reviewer can quickly understand an application’s codebase, identify high impact vulnerabilities, and provide meaningful remediation recommendations.
4. How do code quality and good code review process lead to fewer impacting bugs and security risk?
With the ability to review an application’s code, the reviewer can identify security vulnerabilities that would not be detected with automated scans or penetration testing. A code review can result in the discovery of logic issues and edge cases that, if exploited, can lead to real-world consequences.
5. Why do you review with HackerOne?
HackerOne has a highly skilled team that continues to be vetted by its peers. I enjoy working with people of such a skill level as it continues to challenge me to be better at what I love.
6. What advantages have you found of being a third-party reviewer?
As a third party, we provide an unbiased perspective about the security of the application’s codebase that has not been tainted by the assumptions that exist within internal teams. This can be equated to getting a second opinion from a doctor who specializes in specific treatments after seeing a general practitioner.
7. What are some common issues you see?
Often the leading cause of a vulnerability stems from the developer treating any external data entering the application as benign. Doing this results in the manifestation of a wide range of application vulnerability classes such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and Unrestricted File Uploads. Access control and authentication related vulnerabilities are also common place in most modern applications.
8. What advice do you have for developers?
At the risk of sounding like a broken record, treat any untrusted data as malicious by default. Create an application that implements layered security controls. Adhere to application security best practices such as those found within the OWASP Application Security Verification Standard (OWASP ASVS).
for PullRequest and have vetted, professional reviewers like Matt work with your development teams to ship high-quality code.