No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option.
I get to review quite a bit of code—not as much as I used to, but enough to keep me busy helping teams at Microsoft. Sometimes people just want my take on small snippets of perhaps 100 lines of code, and other times I get hundreds of thousands of lines.
People often ask how I review code for security vulnerabilities when faced with a massive amount to review. At a very high level, my process is simple: Make sure you know what you’re doing; Prioritize; Review the code. Although my approach might not work for you, I’ve fine-tuned it over the years based on comments and lessons from people I consider much better than me at reviewing code. Let’s look at each step in more detail.Read Full Story