Chapter 10. Code Review for Security
Weâve looked at how to deal with security in planning, in requirements, and in design. Now itâs time to deal with security at the code level.
At least half of security vulnerabilities are introduced in coding, by developers making simple programming mistakes, by not being careful, missing a requirement, or misunderstanding or misusing the language, libraries, and frameworks.
There are two different basic approaches for catching problems, including security issues, in code:
- Testing
-
Whether automated or manual, including black-box scanning for security vulnerabilities.
- Code reviews
-
Including pair programming and peer reviews, code audits, and automated code scanning.
Weâll look at the strengths and weaknesses of both approaches in the next two chapters. Letâs start by understanding how code reviews fit into Agile development, and how they can be used to find important problems in development.
Why Do We Need to Review Code?
Code reviews are done for many different reasons:
- Governance
-
Peer reviews can play an important step in change control by ensuring that at least one other person is aware of and, implicitly or explicitly, approved the code change.
- Transparency
-
Code reviews provide team members with information about what is happening in the project, creating awareness of how the system works and how it is changing. By shining a light on every change, reviews also minimize the threat of a malicious insider planting a logic ...
Get Agile Application Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.