Articles on guy@secdev.uk

Rust Security Code Review Guide

Sat, 04 Apr 2026 00:00:00 +0000

1. Introduction

I put this guide together as a structured approach to security-focused code review for Rust applications. Whether you’re just starting to identify security vulnerabilities in Rust code or you’re an experienced developer looking for a language-specific checklist, I’ve tried to make it useful at both levels.

Rust’s ownership model, borrow checker, and type system prevent entire classes of bugs, use-after-free, null pointer dereferences, and data races in safe code. However, what I found when I started reviewing Rust codebases is that unsafe blocks, third-party crate choices, and application-level logic errors still introduce serious vulnerabilities. What follows covers manual review strategies, common anti-patterns, recommended tooling, and vulnerability patterns organised by class, with cross-references to the intentionally vulnerable examples in this project.

Rust Learning Guide - Anti-Patterns

Wed, 11 Mar 2026 00:00:00 +0000

Overview

The antipatterns.rs module Source Code File demonstrates 15 common Rust mistakes and their correct solutions. I put this together because I noticed the same patterns coming up, especially from developers (myself included) fighting the borrow checker instead of working with it.

Anti-Patterns Covered

1. Unnecessary .clone() Everywhere

❌ Cloning to avoid borrow checker
✅ Use references (&T) instead

2. Using .unwrap() in Production

❌ Crashes program on error
✅ Return Result<T, E> and handle gracefully

3. Returning References to Local Variables

❌ Dangling references (won’t compile)
✅ Return owned data or use ‘static lifetime

4. Using String When &str Would Work

❌ Forces caller to own String
✅ Accept &str - works with both

5. Ignoring Compiler Warnings

❌ Unused mut, unused variables
✅ Listen to the compiler

6. Using Indices Instead of Iterators

❌ C-style loops can panic
✅ Use iterators - safer and clearer

7. Manually Implementing What Traits Provide

❌ Manual equality checks
✅ #[derive(PartialEq, Debug, Clone)]

8. Using Vec When Array Would Work

❌ Heap allocation for fixed-size data
✅ Use arrays [T; N] for stack allocation

9. Nested match/if let Instead of Combinators

❌ Deeply nested matching
✅ Use .map(), .filter(), .and_then()

10. Using Mutex When Not Needed

❌ Mutex in single-threaded code
✅ Just use regular variables

11. Collecting Iterator Just to Iterate Again

❌ Unnecessary intermediate collection
✅ Chain iterators directly

12. Using Deref Coercion as Inheritance

❌ Simulating inheritance with Deref
✅ Use composition explicitly

13. Panicking in Library Code

❌ panic!() crashes caller’s program
✅ Return Result and let caller decide

14. Using format! When to_string() Works

❌ Overkill for simple conversions
✅ Use .to_string() for clarity

15. Implementing Default Manually

❌ Manual new() constructor
✅ Implement Default trait

Key Principle

Work WITH Rust’s ownership system, not against it.

Rust Learning Guide - Core Concepts Explained

Fri, 06 Feb 2026 00:00:00 +0000

I put this guide together to explain each Rust concept demonstrated in the example programs, with comparisons to C and Java. The more I dug into Rust’s design decisions, the more I appreciated how much thought went into making safety guarantees that don’t cost you performance. Here’s what I found.

Supporting Code Examples

1. OWNERSHIP SYSTEM

What it is: Rust’s core memory management system. Every value has a single owner, and when the owner goes out of scope, the value is dropped (freed). This was the concept that took the longest to click for me, but once it did, everything else fell into place.

Go Learning Guide

Tue, 06 Jan 2026 00:00:00 +0000

A structured learning guide for developers coming from Java, C, or Python who want to learn Go. I put this together because when I started learning Go myself, I kept wishing for a resource that mapped Go’s idioms back to languages I already knew. Github Repo of Code Examples

Introduction to Go

Go (also called Golang) was created at Google in 2009 by Robert Griesemer, Rob Pike, and Ken Thompson. It was designed to address the challenges of building large-scale, concurrent software systems while keeping the language simple and productive.

Python Security Code Review Guide

Wed, 22 Oct 2025 00:00:00 +0000

1. Introduction

I put this guide together as a structured approach to security-focused code review for Python applications. Whether you’re just starting to identify security vulnerabilities in Python code or you’re an experienced developer looking for a language-specific checklist, I’ve tried to make it useful at both levels.

Python’s dynamic typing, rich standard library, and extensive third-party ecosystem make it enormously productive, but the more I reviewed Python codebases, the more I realised these same qualities introduce security pitfalls that static analysis alone cannot always catch. What follows covers manual review strategies, common anti-patterns, recommended tooling, and vulnerability patterns organised by class, with cross-references to the intentionally vulnerable examples in this project.

Java Security Code Review Guide

Wed, 09 Jul 2025 00:00:00 +0000

1. Introduction

I put this guide together as a structured approach to security-focused code review for Java applications. Whether you’re just starting to identify security vulnerabilities in Java code or you’re an experienced developer looking for a language-specific checklist, I’ve tried to make it useful at both levels.

Java’s strong type system, managed memory, and mature ecosystem offer many safety guarantees, but the more I researched Java security, the more I realised the language and its frameworks still expose developers to a wide range of pitfalls including injection, deserialisation, reflection abuse, JNDI injection, and misconfigured XML parsers. What follows covers manual review strategies, common anti-patterns, recommended tooling, and vulnerability patterns organised by class, with cross-references to the intentionally vulnerable examples in this project.

C++ Security Code Review Guide

Mon, 24 Mar 2025 00:00:00 +0000

1. Introduction

I put this guide together as a structured approach to security-focused code review for C++ applications. Whether you’re just starting to identify security vulnerabilities in C++ code or you’re an experienced developer looking for a language-specific checklist, I’ve tried to make it useful at both levels.

C++ inherits many of C’s low-level risks, manual memory management, pointer arithmetic, and the absence of bounds checking, while adding its own layer of complexity through classes, templates, smart pointers, the STL, RAII, and operator overloading. What I find fascinating about C++ security is the duality: when used correctly, features like std::unique_ptr, std::vector, and RAII can eliminate entire vulnerability classes. When misused, they create subtle bugs that are harder to spot than their C equivalents, dangling references from moved-from objects, use-after-free through raw pointer aliases to smart-pointer-managed memory, iterator invalidation, and implicit conversions in template code. What follows covers manual review strategies, common anti-patterns, recommended tooling, and vulnerability patterns organised by class, with cross-references to the intentionally vulnerable examples in this project.

C Security Code Review Guide

Tue, 04 Feb 2025 00:00:00 +0000

1. Introduction

I put this guide together as a structured approach to security-focused code review for C applications. Whether you’re just starting to identify security vulnerabilities in C code or you’re an experienced developer looking for a language-specific checklist, I’ve tried to make it useful at both levels.

C’s manual memory management, lack of bounds checking, direct pointer arithmetic, and minimal runtime safety make it uniquely prone to entire classes of vulnerabilities that higher-level languages prevent by design. The more I dug into C codebases, the more I appreciated just how many ways things can go wrong, buffer overflows, use-after-free, null pointer dereferences, integer overflows, and format string attacks are all first-class concerns. What follows covers manual review strategies, common anti-patterns, recommended tooling, and vulnerability patterns organised by class, with cross-references to the intentionally vulnerable examples in this project.

JavaScript Security Code Review Guide

Wed, 09 Oct 2024 00:00:00 +0000

1. Introduction

I put this guide together as a structured approach to security-focused code review for JavaScript and Node.js applications. Whether you’re just starting to identify security vulnerabilities in JavaScript code or you’re an experienced developer looking for a language-specific checklist, I’ve tried to make it useful at both levels.

JavaScript’s dynamic typing, prototype-based inheritance, single-threaded event loop with async concurrency, and the vast npm ecosystem make it enormously productive, but the more I dug into JavaScript security, the more I realised these same qualities introduce security pitfalls that static analysis alone cannot always catch. What follows covers manual review strategies, common anti-patterns, recommended tooling, and vulnerability patterns organised by class, with cross-references to the intentionally vulnerable examples in this project.