Code Review Guide History

OWASP Code Review Guide Table of Contents

The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called secure code review got too big and evolved into its own stand-alone guide.

The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.

It was found that a proper code review function which is integrated into the software development process /Lifecycle (SDLC) produced remarkably better code from a security standpoint. It is also cheaper and looking at the "Security @ source" industry it seems that the trend in application security is heading in this direction.

"Secure code review is the sign of a mature SDLC and in our view much more sustainable and controllable than the pen and patch model"

The guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. To write a guide that covers all languages would take too long and be too big.

Hope you find this guide useful and a decent reference document if you ever have to perform secure code review.

Good Luck,

Slán, Eoin