A-Z Popular New Security Search »
Information Security
 
Related Guides

What is a Security Code Review?

 , updated on
A security code review is a peer review process that examines the security features of software. This typically involves a team of three to seven developers including those who wrote the code. In some cases, security subject matter experts also participate.

Purpose

The purpose of a security code review is to identify flaws in the design or implementation of software. The review doesn't necessarily look to find every single flaw but instead provides a developer with ideas for hardening their code.

Focus

Secure code reviews may focus on areas of particular concern to information security such as authentication, authorization, session management, input validation, exception handling, audit trail and cryptographic features such as encryption of data in storage and transit.

Automation

Automated tools exist for secure code review. In many cases, a manual and automated review complement each other as they tend to find different types of flaws. For example, a developer may identify high level design issues that a tool might miss.

Process

A secure code review begins with an overview of the code by the developers who wrote it. The team then inspects security critical areas of the code and documents design and implementation flaws.
Excluded from secure code review are processes such as risk assessment and security testing. Developers need not run the code. All perceived flaws are documented without assessment of acceptable levels of risk.
Secure code review is meant to complement processes such as risk assessments, security audits and penetration testing as part of a software security assurance practice.
The developers who wrote the code take the list of flaws and implement fixes. A follow up meeting is conducted to review the changes. In some cases, developers may argue that certain documented flaws aren't really flaws. In most cases, the developers who wrote the code are given final say in such discussions.

Output

A list of security flaws both at the design and implementation level.
Overview: Security Code Review
Type
Coding
Information Security
Software Security Assurance
Definition (1)
A peer review process that examines the security features of software.
Definition (2)
A manual or automated inspection of software design and code for security flaws.
Also Known As
Secure code review
Related Concepts

Information Security

This is the complete list of articles we have written about information security.
Audit Trail
Canary Trap
Confidential Information
Critical Infrastructure
Cryptographic Keys
Cryptographic Salt
Cryptography
Cybersecurity Risk
Data Breach
Data Remanence
Data Room
Data Security
Deep Magic
Defense In Depth
Degaussing
Digital Identity
Failure Of Imagination
Geofencing
Hardening
Honeypot
IoT Security
Key Stretching
Network Security
Non-repudiation
Nonce
Operations Security
Overlay Network
Password Entropy
Password Fatigue
Proof Of Work
Sandbox
Secure Code Review
Security As A Service
Security Controls
Zero-day
More ...
If you enjoyed this page, please consider bookmarking Simplicable.
 

Coding

A list of coding considerations and techniques.

Emergence vs Big Design Up Front

The difference between emergence and big-design-up-front.

Deep Magic

An overview of deep magic, a technology term.

Principle Of Least Astonishment

An overview of the Principle Of Least Astonishment.

Pull vs Push

The difference between pull and push technology.

Binary vs Hexadecimal

A comparison of binary and hexadecimal.

End-User Computing

An overview of end-user computing.

Library vs API

The difference between a library and API explained.

Code Reuse

The common types of code reuse.

Code Freeze

The common types of code freeze.

Security vs Privacy

The relationship between security and privacy.

Hardening

An overview of technology hardening.

Defense In Depth

An overview of defense In depth.

Encryption Examples

A definition of encryption with examples.

Canary Trap

A definition of canary trap with an example.

Honeypot

A definition of honeypot with examples.

Security Through Obscurity

A definition of security through obscurity with an example.

Tokens

A definition of token with examples.

Backdoor

A definition of backdoor with examples.
The most popular articles on Simplicable in the past day.

New Articles

Recent posts or updates on Simplicable.
Site Map