Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

At a Glance: Security Code Review

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley

Microsoft Corporation

September 2005

Summary: This provides a summary view of the main input, output, and steps for performing a security code review. For detailed step-by-step instructions, see "How To: Perform a Security Code Review for Managed Code (Baseline Activity)".

Contents

Activity Overview
Activity Summary Table

Activity: Security Code Review

Purpose: Identify security issues before testing and deployment begin.

Input: Code

Output: A set of identified security issues ready to be prioritized for repair.

Activity Overview

The four major code review steps are shown in Figure 1. Review your code each time there is a meaningful change instead of reviewing it all at once at the end of the project. This allows you to focus on what has changed, rather than trying to find all of the bugs at one time.

Ff649921.codereviewforsecurityprocess(en-us,PandP.10).gif

Figure 1. Security code review steps

The security code review activity involves the following steps:

  • Step 1. Identify security code review objectives. Establish goals and constraints for the review.
  • Step 2. Perform a preliminary scan. Use static analysis to find an initial set of bugs and improve your understanding of where the security issues are most likely to be discovered during further review.
  • Step 3. Review the code for security issues. Review the code thoroughly to find security issues that are common to many applications. You can use the results of Step 2 to focus your analysis.
  • Step 4. Review for security issues unique to the architecture. Complete a final analysis that focuses on security issues that relate to the unique architecture of your application. This step is most important if you have implemented a custom security mechanism or any feature designed specifically to mitigate a known security threat.

Activity Summary Table

Table 1 summarizes the security code review activity and shows the input and output for each step.

Table 1: Activity Summary with Input and Output

InputStepOutput
  • Security requirements
  • Code (including list of changes since last review)
  • Constraints
Step 1. Identify code review objectives
  • Code review objectives
  • Code
  • Code review objectives
Step 2. Perform the preliminary scan
  • Vulnerability list (with false positives eliminated)
  • List of flagged areas
  • Code
  • Code review objectives
  • List of flagged areas
Step 3. Review the code for security issues
  • Vulnerability list
  • Code
  • Code review objectives
Step 4. Review the code for security issues unique to the application architecture
  • Vulnerability list

Additionally, the following input is helpful:

  • Application security requirements
  • Architecture or component diagram
  • Data flows
  • Data schemas
  • Threat model
  • Usage scenarios

Threat modeling can be useful input for Step 1 of the code review activity because it provides a starting point for identifying code review objectives. For more information about threat modeling, see "Threat Modeling Web Applications" at http://msdn.microsoft.com/en-us/library/ms978516.aspx or "Threat Modeling Web Applications" at http://msdn.microsoft.com/ThreatModeling.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.