How to Conduct a Code Review
A properly conducted code review can do more for the security of your application than nearly any other step. A large numbers of bugs can be found and fixed before the code makes it into an official build or into the hands of the test team. Additionally the code review process lends itself very well to sharing security best practices amongst a development team and it produces ‘lessons’ that can be learned from in order to prevent future bugs.
This guide focuses first on identifying the types of issues that you should look for in the code being reviewed, and then on finding these bugs as quickly and effectively as possible. It also describes how you can use threat models, architecture diagrams and other inputs to help guide your review.