CRV2 WhatIsCodeReview

From OWASP
Revision as of 05:12, 17 May 2013 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

What is Security Source Code Review?

Source code review is the practie of reviewing developed code for vulnerabilities. There are many ways to review the security of an application and it is recommended to perform more than one method to help ensure more assessment coverage. Penetraiton testing is great at finding certain bugs such as technical signature or API based issues. Issues related to privacy, information leakage, denial of service are more suited to code review. Source code review is also good practice as you are finding issues early in the SDLC. Locating and fixing issues early in your SDLC makes it chepaer in terms of effort and cost to remediate. It also empowers developers to understand suecurity bugs at the source code level such that they may not repeat the same mistakes.