A-Z Popular Blog Security Search »
Information Security
 Advertisements
Related Guides
Information Security
Key Concepts
Information Security
top   »  information technology   »  coding   »  security code review

What is a Security Code Review?

 , updated on
A security code review is a peer review process that examines the security features of software. This typically involves a team of three to seven developers including those who wrote the code. In some cases, security subject matter experts also participate.

Purpose

The purpose of a security code review is to identify flaws in the design or implementation of software. The review doesn't necessarily look to find every single flaw but instead provides a developer with ideas for hardening their code.

Focus

Secure code reviews may focus on areas of particular concern to information security such as authentication, authorization, session management, input validation, exception handling, audit trail and cryptographic features such as encryption of data in storage and transit.

Automation

Automated tools exist for secure code review. In many cases, a manual and automated review complement each other as they tend to find different types of flaws. For example, a developer may identify high level design issues that a tool might miss.

Process

A secure code review begins with an overview of the code by the developers who wrote it. The team then inspects security critical areas of the code and documents design and implementation flaws.
Excluded from secure code review are processes such as risk assessment and security testing. Developers need not run the code. All perceived flaws are documented without assessment of acceptable levels of risk.
Secure code review is meant to complement processes such as risk assessments, security audits and penetration testing as part of a software security assurance practice.
The developers who wrote the code take the list of flaws and implement fixes. A follow up meeting is conducted to review the changes. In some cases, developers may argue that certain documented flaws aren't really flaws. In most cases, the developers who wrote the code are given final say in such discussions.

Output

A list of security flaws both at the design and implementation level.
Overview: Security Code Review
Type
Coding
Information Security
Software Security Assurance
Definition (1)
A peer review process that examines the security features of software.
Definition (2)
A manual or automated inspection of software design and code for security flaws.
Also Known As
Secure code review
Related Concepts
Information Security
Cryptography
Authentication
Coding
Peer Review

Information Security

This is the complete list of articles we have written about information security.
Audit Trail
Canary Trap
Confidential Information
Critical Infrastructure
Cryptographic Keys
Cryptographic Salt
Cryptography
Cybersecurity Risk
Data Breach
Data Remanence
Data Room
Data Security
Deep Magic
Defense In Depth
Degaussing
Digital Identity
Failure Of Imagination
Geofencing
Hardening
Honeypot
Incident Response
IoT Security
Key Stretching
Network Security
Non-repudiation
Nonce
Operations Security
Overlay Network
Password Entropy
Password Fatigue
Proof Of Work
Sandbox
Secure Code Review
Security As A Service
Security Controls
Zero-day
More ...
If you enjoyed this page, please consider bookmarking Simplicable.
 
Cite »

Coding

A list of coding considerations and techniques.

Emergence vs Big Design Up Front

The difference between emergence and big-design-up-front.

Deep Magic

An overview of deep magic, a technology term.

Principle Of Least Astonishment

An overview of the Principle Of Least Astonishment.

Pull vs Push

The difference between pull and push technology.

Binary vs Hexadecimal

A comparison of binary and hexadecimal.

End-User Computing

An overview of end-user computing.

Library vs API

The difference between a library and API explained.

Code Reuse

The common types of code reuse.

Code Freeze

The common types of code freeze.

Security vs Privacy

The relationship between security and privacy.

Hardening

An overview of technology hardening.

Defense In Depth

An overview of defense In depth.

Encryption Examples

A definition of encryption with examples.

Canary Trap

A definition of canary trap with an example.

Honeypot

A definition of honeypot with examples.

Security Through Obscurity

A definition of security through obscurity with an example.

Tokens

A definition of token with examples.

Backdoor

A definition of backdoor with examples.

Trending

The most popular articles on Simplicable in the past day.

New Articles

Recent posts or updates on Simplicable.
Site Map
Benchmarking
Business Analysis
Communication
Compliance
Networking
Computing
Creativity
Cryptography
Data
Design
Design Thinking
Governance
Information Security
Information Technology
Infrastructure
Knowledge Management
Management
Metrics
Organizational Culture
Problem Solving
Productivity
Project Management
Quality
More ...
© 2010-2023 Simplicable. All Rights Reserved. Reproduction of materials found on this site, in any form, without explicit permission is prohibited.

View credits & copyrights or citation information for this page.

Home About     Privacy Policy     Cookies Terms of Use     Contact Us Search


Cookies help us deliver our services. You have choices regarding these cookies. Please visit our privacy policy, cookie policy and consent tool to learn more.


Copyright 2002-2024 Simplicable. All rights reserved. This material may not be published, broadcast, rewritten, redistributed or translated. Report violations here.