This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Security Code Review in the SDLC"
(→Preface) |
|||
Line 13: | Line 13: | ||
# Team review | # Team review | ||
# Inspection | # Inspection | ||
+ | |||
+ | |||
+ | == Mature Secure Code Review (SCR) Model == | ||
+ | |||
+ | Throughout the SDLC there are points at which an application security consultant should get involved. These points, "touch points" can be used to investige the status of the code being developed from a security standpoint. The reason for interviening at regular intervals is that potential issues can be detected early on in the development life cycle and hence total cost of ownership (TCO) is less in the long term. | ||
+ | |||
+ | '''Waterfall SDLC exmaple''' | ||
+ | #Requirements definition | ||
+ | ## Functional specification | ||
+ | #Design | ||
+ | ## Detailed design specification | ||
+ | #Development | ||
+ | ##Coding | ||
+ | ## Unit test | ||
+ | #Test | ||
+ | ##functional Testing | ||
+ | ## System testing | ||
+ | ##integration testing | ||
+ | ##UAT (User acceptance testing | ||
+ | #Deployment | ||
+ | ## Change control | ||
+ | # Maintenance | ||
+ | |||
+ | |||
[[Category:OWASP Code Review Project]] | [[Category:OWASP Code Review Project]] |
Revision as of 14:01, 2 January 2007
OWASP Code Review Guide Table of ContentsPreface
Code reviews vary widely in their level of formality. Reviews can be as informal as inviting a friend to help look for a hard to find bug, and they can be as formal as a software inspection process with trained teams, assigned roles and responsibilities, and a formal metric and quality tracking program.
In Peer Reviews in Software, Karl Wiegers lists seven review processes from least to most formal:
- Ad hoc review
- Passaround
- Pair programming
- Walkthrough
- Team review
- Inspection
Mature Secure Code Review (SCR) Model
Throughout the SDLC there are points at which an application security consultant should get involved. These points, "touch points" can be used to investige the status of the code being developed from a security standpoint. The reason for interviening at regular intervals is that potential issues can be detected early on in the development life cycle and hence total cost of ownership (TCO) is less in the long term.
Waterfall SDLC exmaple
- Requirements definition
- Functional specification
- Design
- Detailed design specification
- Development
- Coding
- Unit test
- Test
- functional Testing
- System testing
- integration testing
- UAT (User acceptance testing
- Deployment
- Change control
- Maintenance