From the course: CompTIA CySA+ (CS0-002) Cert Prep: 4 Software and Systems Security
Code review
From the course: CompTIA CySA+ (CS0-002) Cert Prep: 4 Software and Systems Security
Code review
- [Instructor] Application code is one of the most common sources of security vulnerabilities. Developers write millions of lines of code each year and there are thousands of security issues buried in the complexity of that code just waiting to be discovered. Code reviews are one of the most important software testing techniques. During a code review developers have their work reviewed by other developers who examine the code to ensure that it does not contain obvious or subtle security issues. This process may be totally informal, completely formal, or something in between. The most formal code review process is known as the Fagan inspection. Fagan inspections follow the six-step process shown here. During the first step, planning, developers perform the pre work required to get the code review underway. This includes preparing the materials required for the review, identifying the review participants, and scheduling the actual review. Next, the review moves on to the overview phase where the leader of the review assigns roles to different participants and provides the team with an overview of the software that is being reviewed. During the preparation phase, the participants review the code and any supporting materials on their own to get ready for the review meeting. They look for any potential issues and make notes that they can refer back to later. Once everyone has completed their preparation, the formal inspection meeting takes place. During this meeting developers raise any issues that they discovered during the preparation phase, and discuss them with the team. The meeting is where the review team formally identifies any defects in the software that require correction. After the inspection meeting, the developers who created the code correct any defects identified during the review in the rework phase. If there were no defects, the developers can then move onto the next phase. If there were significant defects, the process returns to the planning phase for another review cycle. Once the code no longer requires rework, the Fagen inspection concludes with the follow-up phase. During this phase, the leader of the review confirms that all defects were successfully corrected and completes the documentation of the review. The Fagen inspection model is a highly formalized process for code review and due to its burdensome nature is not often followed. However, most software development organizations do perform some type of code review and it's very common to see modified versions of the Fagen inspection process. Whatever way organizations conduct code reviews, these reviews are critical to the security of software development.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.