Techniques

There are various techniques that can be utilized during a code review that can help yield results.

Variant Analysis - Process of using a known vulnerability as a seed to find similar problems in your code.

Control Flow Analysis (CFA) - Inspect how the different parts of the source code are executed and in which order. This is useful for finding vulnerable code paths that are only executed under unlikely circumstances that a developer has not anticipated.

Data Flow Analysis (DFA) - Process of tracking data from a source to a sink.

Taint Tracking - Untrusted or tained data that is under partial or full control of a user. Data flow analysis can be employed to track tainted data throughout the program. This is done by tracking from the source aka method calls and variable assignments including containers and class members to a sink.

Range Analysis / Bound Analysis - Used to investigate which possible values a variable can hold and which values it will never hold. This can yield interesting vulnerabilities such as a buffer overflow. Also can be used to identify areas of dead code.

Semantic code search - Quickly interrogate a codebase and identify areas of interest for further investigation. Search methods having a particular signature or variables that may contain credentials.