Difference between revisions of "Automated Code Review"

From OWASP
Jump to: navigation, search
m (typo)
m (Added navigation to facilitate sequential reading online)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[OWASP Code Review Guide Table of Contents]]__TOC__
+
{{LinkBar
 +
  | useprev=PrevLink | prev=How to Write an Application Code Review Finding | lblprev=
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Tool Deployment Model | lblnext=
 +
}}
 +
__TOC__
  
 
==Preface==
 
==Preface==
 +
While manual code reviews can find security flaws in code, they suffer from two problems. Manual code reviews are slow, covering 100-200 lines per hour on average.
  
While manual code reviews can find security flaws in code, they suffer from two problems.  Manual code reviews are slow, covering 100-200 lines per hour on average.  Also, there are hundreds of security flaws to look for in code, while humans can only keep about seven items in memory at once. Source code analysis tools can search a program for hundreds of different security flaws at once at a rate far greater than any human can review code.  However, these tools don't eliminate the need for a human reviewer, as they produce both false positive and false negative results.
+
Also, there are hundreds of security flaws to look for in code, while humans can only keep about seven items in memory at once. Source code analysis tools can search a program for hundreds of different security flaws at once, at a rate far greater than any human can review code.
  
 +
However, these tools don't eliminate the need for a human reviewer, as they produce both false positive and false negative results.
  
== '''Reasons for using automated tools:''' ==
+
==Reasons for Using Code Review Tools==
 +
In large scale code review operations for enterprises such that the volume of code is enormous, automated code review techniques can assist in improving the throughput of the code review process.
  
In large scale code review operations for enterprises such that the volume of code is enormous automated code review techniques can assist in improving the throughput of the code review process.
+
==Education and Cultural Change==
 +
Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower developers with the knowledge in order to write better code.  
  
 +
This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality, and also help reduce the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand. Also, running a tool to assess the code is a fairly painless task once the developer becomes familiar with the tool(s).
  
== '''Education and cultural change:''' ==
 
  
Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower devlopers with the knowledge in order to write better code.
+
{{LinkBar
 
+
  | useprev=PrevLink | prev=How to Write an Application Code Review Finding | lblprev=
This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality and also help reducing the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand.
+
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
Also running a tool to assess the code is a fairly painless task once the developer becomes familiar with the tool(s).
+
  | usenext=NextLink | next=Tool Deployment Model | lblnext=
 
+
}}
 
+
== '''Tool Deployment model:''' ==
+
 
+
Deploying code review tools to developers helps the throughput of a code review team by helping to identify and hopefully remove most of the common and simple coding mistakes prior to a security consultant viewing the code.
+
 
+
This methodology improves developer knowledge and also the security consultant can spend time looking for more abstract vulerabilities.
+
  
 
[[Category:OWASP Code Review Project]]
 
[[Category:OWASP Code Review Project]]

Latest revision as of 11:56, 9 September 2010

«««« Main
(Table of Contents)
»»»»

Contents


Preface

While manual code reviews can find security flaws in code, they suffer from two problems. Manual code reviews are slow, covering 100-200 lines per hour on average.

Also, there are hundreds of security flaws to look for in code, while humans can only keep about seven items in memory at once. Source code analysis tools can search a program for hundreds of different security flaws at once, at a rate far greater than any human can review code.

However, these tools don't eliminate the need for a human reviewer, as they produce both false positive and false negative results.

Reasons for Using Code Review Tools

In large scale code review operations for enterprises such that the volume of code is enormous, automated code review techniques can assist in improving the throughput of the code review process.

Education and Cultural Change

Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower developers with the knowledge in order to write better code.

This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality, and also help reduce the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand. Also, running a tool to assess the code is a fairly painless task once the developer becomes familiar with the tool(s).


«««« Main
(Table of Contents)
»»»»