Secure Code Review

Who: Jim Berry, solotandem in IRC.

Overview:

The goals of my project are: 1) to develop additional reviews in the Secure Code Review module, an automated tool to assist with security reviews of Drupal module code, 2) to improve the reporting of results from the module, and 3) to provide Drush commands to invoke the reviews. The review tools will be built atop the grammar parser library and its code manipulation API (CMAPI). The project may also involve extending and enhancing the CMAPI to support the security review tools. CMAPI provides tools for traversing, searching and modifying a code snippet.

Description:

As with automated testing and upgrading of code, the use of an automated tool to analyze (and possibly modify) code for security vulnerabilities has the potential to be more productive than the repetition of manual security reviews. The new reviews will target the contributed module vulnerabilities announced by the Drupal Security Team in the last two years. It would be helpful to have input from members of the Drupal Security Team who have experience in finding and fixing vulnerabilities in code.

Schedules:

1.

  Conduct research on security vulnerabilities, correction methods, and secure coding techniques. (June 7th)

2.

  Prepare sample module with code vulnerabilities. (June 14th)

3.

  Develop security review routines to locate vulnerabilities in sample module. (June 28th)

4.

  Design and implement a user interface to display security review results. (July 12th)

5.

  Implement automated tests against a known vulnerability pattern. (July 19th)

6.

  Develop vulnerability conversion routines. (August 9th)

7.

  Scrub code, write more tests, and improve documentation. (August 16th)

Mentors: Greg Knaddison, others interested in this topic