CRV2 ManualReviewProsCons

From OWASP
Jump to: navigation, search

Contents

Manual Review - Pros and Cons

Add content here ...


Benchmark of different Static Analysis Tools

Add content here ..


Advantages of Code Review to Development Practices

Integrating code review into your companies development processes can have many benefits that will be explored below. Some of these benefits depend upon the tools you use to perform code reviews, how well that data is backed up, and how well those tools are used. The days of bringing developers into a room and displaying code on a projector, whilst recording the review results on a printed copy and behind us, many tools exist to make code review more efficient and to track the review records/decisions. When the code review process is structured correctly, the act of reviewing code can provide educational, auditable and historical benefits to any organization.

The following provides a list of benefits that a code review procedure can add to development team.

Provides an Historical Record

If any developer has joined a company, or moved teams within a company, and had to maintain or enhance a piece of code written years ago, one of the biggest frustrations can be the lack of context the new developer has on the code. Various schools of opinion exist on code documentation, both within the code (comments) and external to the code (design/functional docs, wikis, etc), opinions ranging from zero-documentation tollerance through to near-NASA level documentation where the size of the documentation far exceeds the size of the code module.

If you think about the discussions that occur during a code review, many of these discussions, if recorded, would provide valuable information (context) to module maintainers and new programmers. From the writer describing the module along with some of their design decisions, to each reviewers comments, stating why they think one SQL query should be restructured, or an algorithm changed, there is a development story unfolding in front of the reviewers eyes which can (and should) be used by future coders on the module, who are probably not involved in the review meetings.

Capturing those review discussions in a review tool automatically, and storing them for future reference, will provide the development organization with a history of the changes on the module which can be queried at a later time by new developers. These discussions can also contain links to any architectural/functional/design/test specifications, bug or enhancement numbers, etc.

Verification Change has been Tested

When a developer is about to submit code into the repository, how do you know they have sufficiently tested it? Adding a description of the tests they have run (manually or automated) against the changed code can give reviewers (and managment) confidence that the change will work and not cause any regressions. Also by declaring the tests the writer has ran against their change, the author is allowing reviewers to suggest further testing that may have been missed by the author.

In a development scenario where automated unit or component testing exists, the coding guidelines can require the developer include those unit/component tests in the code review. This again allows reviewers within this type of automated environment to ensure the correct unit/component tests are going to be included in the environment, keeping the quality of the continious intergration.


  1. Junior developers can learn from senior developers during code review. After you learn the basics of a language and read a few of the best practices book, how can you get good on-the-job skills to learn more... well code review can provide that. Apart from buddy coding (which rarely happens) code review is the best place for junior developers to see how the experienced guys do it.
  2. Developers can become more familiar with the code base. Two examples of this, 1) someone (or team) creates a new functional area, then code review allows others who may use that code in the future to become familiar with it, or 2) some cross pollination for silo'ed teams, where they reach out to other teams to review their code, everyone then learns a bit more about the company's code.
  3. This happens less frequently, but does happen, people can spot potential clashes. Person 1 and 2 are working in and around the same area of code, person 1 is going to put their change in 1st, so includes person 2 on the review so person 2 can know if it's going to clash with the code they're about to submit next week.
  4. Code can be reviewed against guidelines. If the company creates guidelines for coding, security, performance, logging, etc, the code review is the place to ensure those guidelines are followed. I.e. a piece of code that may do the job fine, could be rejected because it does not adhere to the coding guidelines. Maybe doesn't matter much for standard code, but for code associated with secure interfaces, this is where the OWASP top 10 could be enforced.