Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

patterns & practices Security Code Review Index

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Microsoft Corporation

September 2005

Summary

This page provides an index of patterns & practices resources to help you perform a security code review.

Contents

Security Code Review Approach
Baseline Activity
.NET Framework Version 1.1
.NET Framework Version 2.0
Common Security Issues

Security Code Review Approach

The purpose of a security code review is to inspect source code to discover security issues before testing and deployment begin. The four major code review steps are shown in Figure 1.

Ff647807.codereviewforsecurityprocess(en-us,PandP.10).gif

Figure 1. Code review steps

Review your code each time there is a meaningful change instead of reviewing it all at once at the end of the project. This allows you to focus on what has changed rather than trying to find all the issues at once.

The code review process involves the following steps:

  • Step 1. Identify security code review objectives. Establish goals and constraints for the review.
  • Step 2. Perform a preliminary scan. Use static analysis to find an initial set of security issues and improve your understanding of where the security issues are most likely to be discovered through further review.
  • Step 3. Review the code for security issues. Review the code thoroughly with the goal of finding security issues that are common to many applications. You can use the results of step two to focus your analysis.
  • Step 4. Review for security issues unique to the architecture. Complete a final analysis looking for security issues that relate to the unique architecture of your application. This step is most important if you have implemented a custom security mechanism or any feature designed specifically to mitigate a known security threat.

Baseline Activity

The baseline activity shows you the techniques and steps to perform an effective security code review. Use the baseline activity in conjunction with the companion question lists and checklists to perform a security code review.

.NET Framework Version 2.0

The following links offer question lists and checklists for reviewing .NET Framework 2.0 code. The question lists should be used in conjunction with the baseline code review activity, How To: Perform Security Code Review for Managed Code (Baseline Activity).

Question Lists

Checklists

.NET Framework Version 1.1

The following links offer guidelines and checklists for reviewing .NET Framework 1.1 code.

Checklists

Common Security Issues

The following patterns & practices resources help you perform security code reviews for common security issues.

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, see the Microsoft Support Web site at http://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Contributors and Reviewers

  • External Contributors and Reviewers: Anil John; Frank Heidt; Keith Brown, Pluralsight
  • Microsoft Product Group: Don Willits, Eric Jarvi, Randy Miller, Stefan Schackow
  • Microsoft IT Contributors and Reviewers: Shawn Veney, Akshay Aggarwal, Talhah Mir
  • Microsoft EEG: Eric Brechner, James Waletzky
  • Microsoft patterns & practices Contributors and Reviewers: Carlos Farre, Jonathan Wanagel
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.