Microsoft patterns & practices Software Inspections Guidance

Inspections are a white-box technique for proactively checking against specific criteria.  You can integrate inspections as part of your testing process at key stages, such as design, implementation and deployment.

Performance

Performance Design Inspections

The review process analyzes the performance implications of your application's architecture and design. If you have just completed your application's design, the design documentation can help you with this process. Regardless of how comprehensive your design documentation is, you must be able to decompose your application and be able to identify key items, including boundaries, interfaces, data flow, caches, and data stores. You must also know the physical deployment configuration of your application.

Consider the following aspects when you review the architecture and design of your application:

• Deployment and infrastructure. You review the design of your application in relation to the target deployment environment and any associated restrictions that might be imposed by company or institutional policies.
• Performance and scalability frame. Pay particular attention to the design approaches you have adopted for those areas that most commonly exhibit performance bottlenecks. This guide refers to these collectively as the performance and scalability frame.
• Layer by layer analysis. You walk through the logical layers of your application and examine the performance characteristics of the various technologies that you have used within each layer. For example, ASP.NET in the presentation layer; Web services, Enterprise Services, and Microsoft®.NET remoting within the business layer; and Microsoft SQL Server™ within the data access layer.

More Information

• See  Performance Design Inspection

Performance Code Inspections

Code reviews should be a regular part of your development process. Performance and scalability code reviews focus on identifying coding techniques and design choices that could lead to performance and scalability issues. The review goal is to identify potential performance and scalability issues before the code is deployed. The cost and effort of fixing performance and scalability flaws at development time is far less than fixing them later in the product deployment cycle.

Avoid performance code reviews too early in the coding phase because this can restrict your design options. Also, bear in mind that that performance decisions often involve tradeoffs. For example, it is easy to reduce maintainability and flexibility while striving to optimize code.

More Information

• See Performance Code Inspection

Security

Security Design Inspections

To perform a security architecture and design review, evaluate your application architecture in relation to its target deployment environment. Next, review your design choices in each of the key areas defined by the security frame. Finally, conduct a layer-by-layer analysis and examine the security mechanisms employed by your key components within each of the layers. The following How To module shows you how to perform a security architecture and design review.

More Information

• See patterns & practices Security Architecture and Design Review Index

Security Code Inspections

Review your code each time there is a meaningful change instead of reviewing it all at once at the end of the project. This allows you to focus on what has changed rather than trying to find all the issues at once.

The code review process involves the following steps:

• Step 1. Identify security code review objectives. Establish goals and constraints for the review.
• Step 2. Perform a preliminary scan. Use static analysis to find an initial set of security issues and improve your understanding of where the security issues are most likely to be discovered through further review.
• Step 3. Review the code for security issues. Review the code thoroughly with the goal of finding security issues that are common to many applications. You can use the results of step two to focus your analysis.
• Step 4. Review for security issues unique to the architecture. Complete a final analysis looking for security issues that relate to the unique architecture of your application. This step is most important if you have implemented a custom security mechanism or any feature designed specifically to mitigate a known security threat.

More Information

• See patterns & practices Security Code Review Index

Security Deployment Inspections

You can use deployment reviews to discover security vulnerabilities in application configuration or the deployment environment. The resources use configuration categories to help make deployment reviews for security systematic and repeatable. You can use these categories to break down your application deployment for further analysis and to help identify vulnerabilities. By using categories, you can systematically go through the deployment review process from start to finish or pick a particular category for further analysis.

More Information

• See patterns & practices Security Deployment Review Index