O'Reilly logo

Agile Application Security by Laura Bell, Jim Bird, Rich Smith, Michael Brunton-Spall

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 10. Code Review for Security

We’ve looked at how to deal with security in planning, in requirements, and in design. Now it’s time to deal with security at the code level.

At least half of security vulnerabilities are introduced in coding, by developers making simple programming mistakes, by not being careful, missing a requirement, or misunderstanding or misusing the language, libraries, and frameworks.

There are two different basic approaches for catching problems, including security issues, in code:

Testing

Whether automated or manual, including black-box scanning for security vulnerabilities.

Code reviews

Including pair programming and peer reviews, code audits, and automated code scanning.

We’ll look at the strengths and weaknesses of both approaches in the next two chapters. Let’s start by understanding how code reviews fit into Agile development, and how they can be used to find important problems in development.

Why Do We Need to Review Code?

Code reviews are done for many different reasons:

Governance

Peer reviews can play an important step in change control by ensuring that at least one other person is aware of and, implicitly or explicitly, approved the code change.

Transparency

Code reviews provide team members with information about what is happening in the project, creating awareness of how the system works and how it is changing. By shining a light on every change, reviews also minimize the threat of a malicious insider planting a logic bomb or ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required