From the course: CISSP Cert Prep (2021): 8 Software Development Security
Code review
From the course: CISSP Cert Prep (2021): 8 Software Development Security
Code review
- [Instructor] Software code is one of the most common sources of security vulnerabilities. Developers write millions of lines of code each year and there are thousands of security issues buried in the complexity of that code just waiting to be discovered. Manual code reviews are one of the most important software testing techniques to uncover these vulnerabilities. During the code review, developers have their work reviewed by other developers who examine the code to ensure that it doesn't contain obvious or subtle security issues. This process may be totally informal, completely formal or something in between. The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process. During the first step, planning, developers perform the pre-work required to get the code review underway. This includes preparing the materials required for the review, identifying the participants and scheduling the review itself. Next, the review moves on to the overview phase where the leader of the review assigns roles to different participants and provides the team with an overview of the software that's being reviewed. During the preparation phase, the participants review the code and any supporting materials on their own to get ready for the review session. They look for any potential issues and make notes that they can refer back to later. Once everyone has prepared, the formal inspection meeting takes place. During this meeting, developers raise any issues that they discovered during the preparation phase and discuss them with the team. The meeting is where the team formally identifies any defects in the software that require correction. After the inspection meeting, the developers who created the code correct any defects identified during the review in the rework phase. If there were no defects, the developers can then move on to the next phase. If the defects were significant, the process returns to the planning phase for another review. Once the code no longer requires rework, the Fagan inspection concludes with the follow-up phase. During this phase, the leader of the review confirms that all defects were successfully corrected and completes the documentation of the review. The Fagan inspection model is a highly formalized process for code review, and due to its burdensome nature, it's not often followed. However, most software development organizations do perform some type of manual code review, and it's very common to see modified versions of the Fagan inspection process. Whichever way organizations conduct code reviews, they are critical to the security of software development.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.