Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Tips for Security Code Reviews

Friday, August 4, 2006 Comments

 .NET   Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook   

Occasionally, I am called upon to do a security code review. I enjoy the process and I recommend it to every shop that writes software to regularly review their code not only for normal bugs, but especially for security bugs. The drawback, though, is not everyone knows what to do or what to look for in a review. One of my personal and business goals is to help clients understand this process.

Michael Howard wrote an interesting article on "A Process for Performing Security Code Reviews" that appeared in this month's IEEE Security and Privacy magazine [found by way of Dana Epp]. I enjoyed reading about some of the steps and decisions Microsoft follows in reviewing its own code. Take a look and then think about how you can make this part of your own software development lifecycle.

Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook