"The Basics of Security Code Review"

Developers should be more responsible for the security of their code. One of the best ways to ensure software quality is to perform source code reviews to identify and remediate security risk before an application moves into production. Developers already spend a significant number of hours finding and fixing bugs in code. According to a recent survey conducted by the software firm Rollbar, 32 percent of developers spend up to 10 hours a week remediating bugs, while 16 percent spend up to 15 hours a week, and 6 percent dedicate up to 20 hours a week fixing bugs instead of writing new code. Open-source code is also widely used in software development. Currently, 99 percent of codebases have at least one open-source component, and 91 percent have components that are either out-of-date by more than fours or have not seen development activity in the last two years. Efforts for securing open-source code remain in the wild west phase. Some of the best tactics for performing security code review include determining the most common vulnerabilities for the type of application that you are working with, tracking data flow, ensuring your application is using secure settings based on best practices, and findings the right tools that can help remediate security issues more efficiently. This article continues to discuss how much time developers dedicate to finding and fixing bugs in code, and some best practices for performing security code reviews.

Help Net Security reports "The Basics of Security Code Review"