Security-Focused Review Guide
Last updated
Last updated
HackerOne Code is a security-focused offering. This solution aims to address the growing need for developer-friendly security tools, providing on-demand security expertise to accelerate development cycles and reduce vulnerabilities before production. This enhances HackerOne's continuous vulnerability testing framework by adding a robust code review component, ensuring a more comprehensive security posture from development through production.
Note: Some common security-related issues and some additional notes on reviewing for security can be found here: . Basic code review best practices can also be found here:
For our customers, keep these basic goals in mind:
Alert fatigue from noisy code scanners and AI. You, the humane in the loop, are an essential requirement for weeding through this noise and identifying only the concerns that matter, reducing the chance for false positives while also adding a layer of scrutiny before Merge.
You, the human expert in the loop, will give developers access to the security context they need to ship secure code, faster—without the false positives and bottlenecks.
In addition to the topics covered on on how to provide a great experience for HackerOne's customers, please keep the following points in mind:
Keep feedback related to security concerns (these could be direct or indirect)
Raise feedback only on valid issues or bring attention to issues that could be valid, but require some clarification from the development team to determine validity
Focus on areas highlighted by our security automation and AI hot spots (See next section for more information on these), only raising issues that are valid (to the best of your ability based on context available)
Focus on other areas not highlighted by our automation that deserve additional scrutiny per your best judgement
The reviewer interface for this type of review has been designed to ensure that reviewers are engaged have the tools you need to do the job more easily and with the right expectations. Completing a review can be done with the following three steps in mind.
Review automated results raised by various automated Application Security Testing (AST) tools provided. The Automation Results Checklist enables you to skip directly to each automated security rule triggered.
For any automated results that are found to be invalid or false positives, please ignore them. Those that are found to be valid should be escalated using the Convert to a comment button. If you are unsure of the validity of an automated finding or you are missing some relevant context, raise the finding with a clarifying question and provide as much information as to why you think it could be a valid risk for the code author to consider.
Review any code specifically outlined in pink. Our AI hot spots engine attempts to find risky areas of code and highlights any sections of code to draw attention to them. Each finding highlighted in pink should come with an explainer about why the code was flagged and the ability to convert that explainer to a comment. As with other automated findings, the expectation should be to only raise issues related to verified risk using the power of human experts! To report any valid findings here, simply click the icon and edit the to ensure the feedback is accurate and helpful.
In the end, you bring the subject matter expertise to review our customers' code. If you feel there are other areas that deserve additional scrutiny in a security context, we encourage going outside of the automation. In the end, this should be a faster and more focused review, but we still want to ensure that we are thorough as reporting risks in code is our highest priority task.
Once the review is complete, make sure to submit it using the Review button in the top right of the review window. Submitting a summary comment is optional. If something was discovered during the review, expand on that issue, it's potential impact, and the urgency of resolving that issue prior to merge (if any) in the summary comment before submitting your review.
Any new commits related to security feedback raised will receive another review. If it makes sense, use the relevant comment thread to engage further to suggest additional changes or indicate that changes made will resolve the issue. This process will continue until the change is ultimately merged or closed by the customer.
