Contact us for your penetration testing needs 1-866-PLYNT-24    |   Contact Us   Plynt UK Website  
Click to get Security Testing Quote
Plynt Blog

How to get the best results from your Code Review

by Roshen Chandran  | 22 Aug 2008

If you are going to engage independent code reviewers to analyze your code, here’re a few tips to get the best results from the exercise:

  1. Explain the functions and features of the applications upfront - that helps the code reviewer prepare a meaningful threat profile. A good threat profile provides a solid foundation for a code review.
  2. Give the code reviewer a walk through of the code on day-1: which are the major classes? Where are the critical operations performed? Where’re the calls to the database? etc
  3. Provide a sample test setup of your application that the code reviewer can see. In theory, a code reviewer need only see the code and not the application. In practice, the quality of a code review improves dramatically when the code reviewer can see the application.
  4. Ensure that the code you give the reviewer builds correctly. If your code base is very large, the reviewer might rely on code scanning tools. All the tools require that the code be build-ready. Your reviewer (and you) will lose a lot of time if the code base provided has unmet dependencies.
  5. If you use exotic technologies in your application, it’s good to tell the reviewer upfront. She can research and be better prepared for the review. Remember that it’s unlikely that your reviewer would be familiar with every new technology or framework out there. Good reviewers have developed a system by which they can learn new areas fast, and find holes in them.
  6. Let the code reviewer get at least an hour each day with your developers - that will help her understand the code better, and your developers feel greater ownership in the exercise.
  7. If you have an audit to pass, inform your code reviewer: she will be able to give you daily updates that you can feed back to the dev team. The fixes can roll out faster that way. In some of our best code reviews, the developers fixed 80% of the holes by the last day of the review. We could mention that too in the report.

We discuss the exact steps a code reviewer performs in the blog post “How we do PCI Code Reviews”.

Related posts
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.
Add yours.closed for this post.

 PCI Code Review Sample Report

*
*
*
*
Send me a proposal:   

Syndication

You can read full entries of Palisade Blog using an RSS reader. Use this link — RSS

                                                
 
Movable Type Appliance - Powered by TurnKey Linux