We’ve looked at how to deal with security in planning, in requirements, and in design. Now it’s time to deal with security at the code level.
At least half of security vulnerabilities are introduced in coding, by developers making simple programming mistakes, by not being careful, missing a requirement, or misunderstanding or misusing the language, libraries, and frameworks.
There are two different basic approaches for catching problems, including security issues, in code:
Whether automated or manual, including black-box scanning for security vulnerabilities.
Including pair programming and peer reviews, code audits, and automated code scanning.
We’ll look at the strengths and weaknesses of both approaches in the next two chapters. Let’s start by understanding how code reviews fit into Agile development, and how they can be used to find important problems in development.
Code reviews are done for many different reasons:
Peer reviews can play an important step in change control by ensuring that at least one other person is aware of and, implicitly or explicitly, approved the code change.
Code reviews provide team members with information about what is happening in the project, creating awareness of how the system works and how it is changing. By shining a light on every change, reviews also minimize the threat of a malicious insider planting a logic bomb or ...