analyzing-code-security

Security Review Workflow

Follow these steps when conducting a manual security code review:

1. Identify the attack surface. Determine entry points: API endpoints, message handlers, file parsers, user-facing forms. Read route definitions and controller registrations to build a map.
2. Trace data flows from sources to sinks. Follow untrusted input (HTTP parameters, headers, request bodies, file uploads, external API responses) through all transformations to dangerous operations (database queries, command execution, HTML rendering, file system access).
3. Check trust boundary crossings. At every point where data crosses a trust boundary (client→server, service→service, user input→database), verify that validation, authentication, and authorization are enforced.
4. Apply framework checklists. Consult references/framework-checklists.md for OWASP Web/API/Mobile Top 10 and CWE Top 25. Check each applicable category against the code under review.
5. Adopt an adversarial mindset. Form a hypothesis (e.g., "I can bypass SSO", "I can access another user's vault") and work backwards to determine what conditions would make it exploitable.
6. Map findings to CWE IDs. Every finding must include the specific CWE identifier, the code location, and the data flow that makes it exploitable.
7. Classify by practical exploitability. Distinguish between practically exploitable vulnerabilities and theoretical risks. Prioritize accordingly but document both.

Key Vulnerability Categories

The most frequently encountered categories across Bitwarden's stack: