I've been writing software for ~7 years and have been actively interested in security for ~2-3. This interest has been entirely self-motivated and primarily on the attack side; I've written several FOSS offensive security tools and taken deep dives in certain attack vectors like DNS rebinding. Because of this experience I've managed to land my first infosec job as an Application Security Engineer at a VPS/cloud compute company. One of my roles will be to conduct regular code reviews of all of the software we build. I'm no stranger to reading code, and making informal suggestions, but this will be my first time conducting systematic and formal reviews of other people's code on a regular basis. To be honest, I'm a bit intimidated. I have a passion for security that I've exercised on my own for years, but I've never been in charge of making high-risk authoritative recommendations on the subject, at least not at a code level.
Does anyone have any suggestions for ways to gain experience or comfortability with conducting security related code reviews? I've got two weeks before assuming the role and I'd love to get some experience with reviewing code and learning to recommend best practices before I appear at the company as some sort of authority figure. Any general advice, recommendations, or thoughts are much appreciated!
