Get Started

Source Code Review Methodologies for Secure Development

Secure coding
ApplicationSecurityCode ReviewSecuritySource Code Review

Master essential code review methodologies, including bottom-up analysis with grep patterns, top-down approach, and routing-based reviews for effective source-to-sink vulnerability discovery.

Effective source code review is the cornerstone of application security and vulnerability assessment. Whether you’re conducting manual assessments or leveraging automated SAST tools, understanding different review methodologies ensures more complete coverage and efficient vulnerability discovery, from source to sink.

In this guide, we’ll explore two core methodologies used in white-box penetration testing and secure code audits: bottom-up analysis (including grep-based pattern discovery) and the top-down approach.

Bottom-Up Analysis

The bottom-up methodology begins by identifying dangerous sinks — locations where untrusted input can cause harmful behavior (e.g., command execution, SQL queries, eval, file operations). From there, you trace backward to determine whether any user-controlled input can reach that sink unsanitized.

This is particularly effective for:

  • Sink-focused analysis (e.g., exec(), eval(), query() functions)
  • Tracing untrusted user input flows
  • Validating sanitization and encoding mechanisms
  • Reverse-tracking exploitation paths
// Bottom-up: Start by analyzing known dangerous sinks then move up in the code
public void processCommand(String userInput) {
    if (userInput == null) return;

    try {
        Runtime.getRuntime().exec(userInput);  // Command injection sink
    } catch (IOException e) {
        // Handle error
    }
}

✅ Advantages:

  • Focused and efficient for technical vulnerabilities
  • Easier to automate via grep/SAST
  • Great for finding injection, file path, and serialization issues

❌ Disadvantages:

  • Can miss business logic vulnerabilities
  • Doesn’t reflect the true user flow
  • Inefficient when analyzing access control logic or authorization layers

Grep-Based Pattern Matching

As part of bottom-up reviews, many professionals use grep or regex to quickly scan large codebases for dangerous patterns.

🧨 Identifying Dangerous Sinks

# Command injection sinks
grep -r "Runtime\.exec\|ProcessBuilder" . --include="*.java"
grep -r "exec\|system\|popen" . --include="*.py"
grep -r "eval\(" . --include="*.js" --include="*.py"

# Code execution sinks
grep -r "ScriptEngine\|executeScript" . --include="*.java"
grep -r "Function\|eval" . --include="*.js"

Finding Input Sources

# Common input sources
grep -r "@RequestParam\|@PathVariable\|request\.getParameter" . --include="*.java"
grep -r "request\.form\|request\.args\|request\.json" . --include="*.py"
grep -r "req\.body\|req\.query\|req\.params" . --include="*.js"

# File input sources
grep -r "MultipartFile\|FileUpload" . --include="*.java"
grep -r "request\.files" . --include="*.py"

Regex to find basic dynamic injection patterns

grep -rE "(eval|exec)\s*\(.*\+|\$\{" . --include="*.py" --include="*.js"

🧠 Note: Grep isn’t perfect. It may miss multiline flows, complex abstractions, or sink reassignments. But it’s fast and practical for initial triage.

Top-Down Analysis

The top-down methodology begins with a macro understanding of the application — its architecture, routes, controllers, and data flows — and then drills into business-critical or high-risk functionality.

This approach is excellent for:

  • Reviewing authentication, authorization, and access control logic
  • Understanding full data flow from request to sink
  • Detecting business logic flaws (e.g., broken workflows, privilege escalation)
// Entry point controller
@RestController
public class ScriptController {

    @PostMapping("/api/execute")
    public ResponseEntity<String> execute(@RequestBody ScriptRequest request) {
        return ResponseEntity.ok(scriptService.evaluate(request.getScript()));
    }
}

// Business logic layer
public class ScriptService {
    public String evaluate(String script) {
        ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
        return engine.eval(script).toString(); // Dangerous sink
    }
}

✅ Advantages:

  • Ideal for business logic auditing
  • Helps map entry points, middleware, and authorization paths
  • Reveals complex flaws (e.g., insecure role escalations)

❌ Disadvantages:

  • Time-consuming on large codebases
  • May miss isolated, low-level vulnerabilities
  • Needs strong domain and app knowledge

Critical Security Checkpoints

When tracing any request flow:

  • Input source – Where does the user’s input enter?
  • Validation/Sanitization – Is input sanitized or validated?
  • Authentication – Is the user authenticated?
  • Authorization – Are proper permissions checked?
  • Sink – Does untrusted data reach a dangerous function?
  • Protection controls – CSRF, rate limiting, logging?

Best Practices for Secure Code Auditing

  • Combine top-down and bottom-up in critical flows
  • Maintain a sink/source cheat sheet per language
  • Automate with grep, semgrep, or SAST tools
  • Keep track of common dangerous APIs and gadgets

🎓 Practice What You Learn

AppSecMaster offers real-world secure code challenges across languages and frameworks. Explore vulnerabilities like IDOR, injection, and access control using real code in a CTF-style learning environment.

Try Our Security Challenges

FAQs (Frequently Asked Questions)

What is the difference between bottom-up and top-down code review?

Bottom-up review starts at known vulnerable functions (sinks) and traces the input backward. In contrast, top-down review begins at the entry points, like controllers, and tracks data forward through the application logic.

Why are sink-focused reviews critical in code security?

Sink-focused reviews help quickly identify critical vulnerabilities like command injections or unsafe eval usage by highlighting where untrusted input may reach risky functions without sanitization.

Can grep and regex fully replace manual code review?

Grep and regex are fast for pattern detection, but can’t handle complex flows or logic-based issues. They work best as part of a larger review strategy alongside manual analysis or SAST tools.

What types of vulnerabilities are best found with top-down reviews?

Top-down reviews are ideal for spotting business logic flaws, insecure access control, and broken workflows since they examine how the entire request flow interacts with app logic and permissions.

How do I know if user input is sanitized adequately in code?

Check if the input goes through validation, encoding, or filtering functions before reaching a sink. Also, verify the use of safe APIs, frameworks, or custom sanitization logic for untrusted input.