Difference between revisions of "Code Review Guide History"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
[[OWASP Code Review Guide Table of Contents]]__TOC__
 
[[OWASP Code Review Guide Table of Contents]]__TOC__
  
The Code Review guide is the result of contributing to the Testing Guide.
+
The Code Review guide is the result of initially contributing and leading the Testing Guide.  
Initially it was thought to place Code review and Testing into the same guide. But code review got too big and evolved into itso own stand alone guide.
+
Initially it was thought to place Code review and testing into the same guide, seemed like a good idea at the time. But the topic called secure code review got too big and evolved into its own stand alone guide.
  
The code review guide was started by [User:Eoin Keary] and is currently in its infancy. Eoin was lead of an application security group for a large financial institution and was involved with the code review process for many years. It was found that a proper code review function that is integrated into the software development process /Lifecycle (SDLC) produced remarkably better code from a security standpoint.
 
  
"Secure code review is the sign of a mature SDLC and in my view much more sustainable and controllable than the pen and patch model"
+
The code review guide was started by [[User:EoinKeary|Eoin Keary]]. The code review team consists of a small but talented group of volunteers who should really get out more often.
 +
 
 +
It was found that a proper code review function which is integrated into the software development process /Lifecycle (SDLC) produced remarkably better code from a security standpoint. It is also cheaper and looking at the "Security @ source" industry it seems that the trend in application security is heading in this direction.
 +
 
 +
"Secure code review is the sign of a mature SDLC and in our view much more sustainable and controllable than the pen and patch model"
 +
 
 +
The guide does not cover all languages; it mainly focuses on .NET and Java but has a little C/C++ and PHP thrown in also.
 +
To write a guide that covers all languages would take too long and be too big.
 +
 
 +
Hope you find this guide useful and a decent reference document if you ever have to perform secure code review.
 +
 
 +
Good Luck,
 +
 
 +
Slan,
 +
Eoin

Revision as of 05:49, 3 August 2007

OWASP Code Review Guide Table of Contents

The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially it was thought to place Code review and testing into the same guide, seemed like a good idea at the time. But the topic called secure code review got too big and evolved into its own stand alone guide.


The code review guide was started by Eoin Keary. The code review team consists of a small but talented group of volunteers who should really get out more often.

It was found that a proper code review function which is integrated into the software development process /Lifecycle (SDLC) produced remarkably better code from a security standpoint. It is also cheaper and looking at the "Security @ source" industry it seems that the trend in application security is heading in this direction.

"Secure code review is the sign of a mature SDLC and in our view much more sustainable and controllable than the pen and patch model"

The guide does not cover all languages; it mainly focuses on .NET and Java but has a little C/C++ and PHP thrown in also. To write a guide that covers all languages would take too long and be too big.

Hope you find this guide useful and a decent reference document if you ever have to perform secure code review.

Good Luck,

Slan, Eoin