Occasionally, I am called upon to do a security code review. I enjoy the process and I recommend it to every shop that writes software to regularly review their code not only for normal bugs, but especially for security bugs. The drawback, though, is not everyone knows what to do or what to look for in a review. One of my personal and business goals is to help clients understand this process.
Michael Howard wrote an interesting article on "A Process for Performing Security Code Reviews" that appeared in this month's IEEE Security and Privacy magazine [found by way of Dana Epp]. I enjoyed reading about some of the steps and decisions Microsoft follows in reviewing its own code. Take a look and then think about how you can make this part of your own software development lifecycle.
