It's always a good idea to check for security issues in code that you review. Code reviews are hard to do well, particularly when you're not entirely sure about the errors you should be looking for. The DevSecOps approach pushes security testing left so that vulnerabilities can be found and fixed earlier, in the design, development, or CI/CD stages of the workflow. To help with code reviews, there's a handy checklist to give pointers for your next code reviews. Be sure when reviewing code to understand what lies behind the code you're reviewing and thus the data and assets you are trying to protect. This working knowledge isn't easy to add into a checklist, but using the tips in this cheatsheet alongside your domain knowledge will assist you in deciding where you should spend more of your time and where you should expect higher risk and different types of attacks. Sanitize and validate all input, as modern web applications have to interact with third-party input that can be unexpected. Never store secrets as code/config, as it's easy for this code to make its way into the repository because developers forgot to remove it. Test for new security vulnerabilities introduced by third-party open source dependencies, as attackers target these more and more. Enforce secure authentication, including password complexity, re-authentication before sensitive operations, and TLS client authentication. Enforce the least privilege principle, which means giving users or processes only the information and resources they need to perform their legitimate purpose. Handle sensitive data with care, by looking closely at your application's design, determining if you really need the data, not exposing it, storing it properly, and protecting against well-known attacks like XSS and SQL injection. Finally, statically test your source code automatically using a SAST tool like Snyk Code to find security-related bugs in your source code.