OWASP Cheat Sheet is what I’d start with. OWASP SAMM and DSOMM if you’re looking something beyond just coding that covers everything a business should be doing and DevOps respectively. Beyond that please tag me if you find something good that’s language specific. More on reddit.com

Use a SAST tool. You are taking on too much accountability doing it manually. More on reddit.com

Some degree of familiarity for each language is good, but I wouldn't say it's super mandatory to get started. Let's say you're reviewing an API. After you understand the context for the API, what works for me is to review the code by following the data flow, i.e. check the controllers, the endpoints inside of it. Check who should have access to those endpoints vs who actually has access to those. Also check which input is expected, and verify validations to see if that gives you any hints about what could go wrong. Usually checking the models and services in use would be a reasonable next step. Another thing you might be interested to look into: Dependencies: Anything vulnerable or malicious? Dockerfiles: What's happening in it? Do they run as root? Is the image trusted? Any hardcoded secrets you can find? Security headers: Anything that could be better? Any misconfiguration for anything in use? IMO, the attitude for a security review goes beyond attempting to find "exploitable" vulnerabilities, as it's also important to reduce the impact of vulnerabilities in case they ever happen. Apply this logic for whatever you need to review. More on reddit.com

We typically start in the hygiene end, to determine the general health of the code base with something like SonarQube. Depending on situation we sometimes require certain things to be fixed first, before proceeding. After that it's static analysis time, no point spending time looking for things that can be automatically found (Coverity, CodeQL for secrets scanning etc). After that we do the manual review, depending on size and structure it might need to be divided into several parts, but I don't really agree that it's not possible to review large code bases manually, one just need to account for the time and do it progressively. (It's not reasonable to think auditing a large code base is something that can be done quickly or that there are shortcuts that doesn't compromise the audit.) Depending on findings or knowledge beforehand we do some fuzzing of inputs and try various known payloads for format parsers like XML and any deserialization. If there are CI/CD pipelines we review those as well, creating dependency graphs and ensuring security updates are enabled (dependabot, Mend, etc) and that containers are secured (using trivy) and that secrets are managed correctly. Every project is different though, but that's the gist of how we approach the hands-on aspects of it. More on reddit.com