OWASP Code Review Guide Table of Contents

Methodology

 * 1) Introduction

NOTE: The following two sections seem to describe quality code review processes, not specifically focused on security. Security code reviews are somewhat different as they require an understanding of the threat model.


 * 1) Steps and Roles
 * 2) Code Review Processes

Checklists

 * 1) Buffer Overruns and Overflows
 * 2) OS Injection
 * 3) SQL Injection
 * 4) Data Validation
 * 5) Error Handling
 * 6) The Secure Code Environment
 * 7) Transaction Analysis

Automating Code Reviews
Reasons for using automated tools: In large scale code review operations for enterprises such that the volume of code is enormous automated code review techniques can assist in improving the throughput of the code review process.

Education and cultural change: Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower devlopers with the knowledge in order to write better code.

This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality and also help reducing the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand. Also running a tool to assess the code if a fairly painless task once the developer becomes familiar wth the tool(s).

Tool Deployment model: Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.

This methodology improves developer knowledge and also the security consultant can spend time looking for more abstract vulerabilities.