PurposeThe purpose of a security code review is to identify flaws in the design or implementation of software. The review doesn't necessarily look to find every single flaw but instead provides a developer with ideas for hardening their code.
FocusSecure code reviews may focus on areas of particular concern to information security such as authentication, authorization, session management, input validation, exception handling, audit trail and cryptographic features such as encryption of data in storage and transit.
AutomationAutomated tools exist for secure code review. In many cases, a manual and automated review complement each other as they tend to find different types of flaws. For example, a developer may identify high level design issues that a tool might miss.
ProcessA secure code review begins with an overview of the code by the developers who wrote it. The team then inspects security critical areas of the code and documents design and implementation flaws.Excluded from secure code review are processes such as risk assessment and security testing. Developers need not run the code. All perceived flaws are documented without assessment of acceptable levels of risk.Secure code review is meant to complement processes such as risk assessments, security audits and penetration testing as part of a software security assurance practice.The developers who wrote the code take the list of flaws and implement fixes. A follow up meeting is conducted to review the changes. In some cases, developers may argue that certain documented flaws aren't really flaws. In most cases, the developers who wrote the code are given final say in such discussions.
OutputA list of security flaws both at the design and implementation level.
|Overview: Security Code Review|
A peer review process that examines the security features of software.
A manual or automated inspection of software design and code for security flaws.
Also Known As
Secure code review