Code reviews offer developers the opportunity to have their code evaluated by their peers before moving it into production. In this video, learn about the code review process, including the use of Fagan inspections for formalized code review.
- [Lecturer] Application code is one of the most common sources of security vulnerabilities. Developers write millions of lines of code each year, and there are thousands of security issues buried in the complexity of that code just waiting to be discovered. Code reviews are one of the most important software testing techniques. During a code review, developers have their work reviewed by other developers who examine the code to ensure that it does not contain obvious, or subtle, security issues.
This process may be totally informal, completely formal, or something in between. The most formal code review process is known as the Fagan inspection. Fagan inspections follow the six-step process shown here. During the first step, planning, developers perform the pre-work required to get the code review underway. This includes preparing the materials required for the review, identifying the review participants, and scheduling the actual review.
Next, the review moves on to the overview phase where the leader of the review assigns roles to different participants and provides the team with an overview of the software that is being reviewed. During the preparation phase, the participants review the code and any supporting materials on their own to get ready for the review meeting. They look for any potential issues and make notes that they can refer back to later. Once everyone has completed their preparation, the formal inspection meeting takes place.
During this meeting, developers raise any issues that they discovered during the preparation phase and discuss them with the team. The meeting is where the review team formally identifies any defects in the software that require correction. After the inspection meeting, the developers who created the code correct any defects identified during the review, in the rework phase. If there were no defects, the developers can then move on to the next phase. If there were significant defects, the process returns to the planning phase for another review cycle.
Once the code no longer requires rework, the Fagan inspection concludes with the follow-up phase. During this phase, the leader of the review confirms that all defects were successfully corrected and completes the documentation of the review. The Fagan inspection model is a highly formalized process for code review, and, due to its burdensome nature, is not often followed. However, most software development organizations do perform some type of code review and it's very common to see modified versions of the Fagan inspection process.
Whatever way organizations conduct code reviews, these reviews are critical to the security of software development.
- Using security assessment tools
- Scanning for vulnerabilities
- Threat assessment techniques
- Performing penetration testing
- Reviewing monitor logs
- Performing code reviews
- Performing fuzz testing and misuse case testing
- Analyzing coverage
- Assessing disaster recovery sites and backups
- Testing BC/DR plans
- Collecting security process data and metrics
- Auditing and control management