Difference between revisions of "Code Review Guide History"

From OWASP
Jump to: navigation, search
 
(Added navigation to facilitate sequential reading online)
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[[OWASP Code Review Guide Table of Contents]]__TOC__
+
{{LinkBar
 +
  | useprev=PrevLink | prev=OCRG1.1:About The Open Web Application Security Project | lblprev=About The Open Web Application Security Project
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Code Review Introduction | lblnext=Introduction
 +
}}
  
The Code Review guide is the result of contributing to the Testing Guide.
+
The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially, it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.  
Initially it was thought to place Code review and Testing into the same guide. But code review got too big and evolved into itso own stand alone guide.
+
  
The code review guide was started by [User:Eoin Keary] and is currently in its infancy. Eoin was lead of an application security group for a large financial institution and was involved with the code review process for many years. It was found that a proper code review function that is integrated into the software development process /Lifecycle (SDLC) produced remarkably better code from a security standpoint.
+
The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.  
  
"Secure code review is the sign of a mature SDLC and in my view much more sustainable and controllable than the pen and patch model"
+
The team noticed that organizations with a proper code review functions integrated into the software development lifecycle (SDLC) produced remarkably better code from a security standpoint. This observation has borne out in practice, as many security vulnerabilities are easier to find in the code than by using other techniques.
 +
 
 +
By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.
 +
 
 +
{{LinkBar
 +
  | useprev=PrevLink | prev=OCRG1.1:About The Open Web Application Security Project | lblprev=About The Open Web Application Security Project
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Code Review Introduction | lblnext=Introduction
 +
}}

Latest revision as of 09:26, 9 September 2010

««About The Open Web Application Security Project«« Main
(Table of Contents)
»»Introduction»»

The Code Review guide is the result of initially contributing and leading the Testing Guide. Initially, it was thought to place Code review and testing into the same guide; it seemed like a good idea at the time. But the topic called security code review got too big and evolved into its own stand-alone guide.

The Code Review guide was started in 2006. The Code Review team consists of a small, but talented, group of volunteers who should really get out more often.

The team noticed that organizations with a proper code review functions integrated into the software development lifecycle (SDLC) produced remarkably better code from a security standpoint. This observation has borne out in practice, as many security vulnerabilities are easier to find in the code than by using other techniques.

By necessity, this guide does not cover all languages; it mainly focuses on .NET and Java, but has a little C/C++ and PHP thrown in also. However, the techniques advocated in the book can be easily adapted to almost any code environment. Fortunately, the security flaws in web applications are remarkably consistent across programming languages.


««About The Open Web Application Security Project«« Main
(Table of Contents)
»»Introduction»»