Difference between revisions of "Code Review Guide History"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
[[OWASP Code Review Guide Table of Contents]]__TOC__
 
[[OWASP Code Review Guide Table of Contents]]__TOC__
  
The Code Review guide is the result of initially contributing and leading the Testing Guide.  
+
The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.  
Initially it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called secure code review got too big and evolved into its own stand-alone guide.
+
  
 +
The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.
  
The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.
+
The team noticed that organizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remarkably better code from a security standpoint. This observation has borne out in practice, as many security vulnerabilities are easier to find in the code than by using other techniques.  
  
It was found that a proper code review function which is integrated into the software development process /Lifecycle (SDLC) produced remarkably better code from a security standpoint. It is also cheaper and looking at the "Security @ source" industry it seems that the trend in application security is heading in this direction.
+
By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.
 
+
"Secure code review is the sign of a mature SDLC and in our view much more sustainable and controllable than the pen and patch model"
+
 
+
The guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also.
+
To write a guide that covers all languages would take too long and be too big.
+
 
+
Hope you find this guide useful and a decent reference document if you ever have to perform secure code review.
+
 
+
Good Luck,
+
 
+
Slán,
+
Eoin
+

Revision as of 11:25, 8 January 2009

OWASP Code Review Guide Table of Contents

The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.

The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.

The team noticed that organizations with a proper code review function integrated into the software development lifecycle (SDLC) produced remarkably better code from a security standpoint. This observation has borne out in practice, as many security vulnerabilities are easier to find in the code than by using other techniques.

By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.