Code Review Guide History

OWASP Code Review Guide Table of Contents

The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially, it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.

The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.

The team noticed that organizations with a proper code review functions integrated into the software development lifecycle (SDLC) produced remarkably better code from a security standpoint. This observation has borne out in practice, as many security vulnerabilities are easier to find in the code than by using other techniques.

By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.