This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
CRV2 WhatIsCodeReview
What is Security Source Code Review?
Source code review is the practie of reviewing developed code for vulnerabilities. There are many ways to review the security of an application and it is recommended to perform more than one method to help ensure more assessment coverage. Penetraiton testing is great at finding certain bugs such as technical signature or API based issues. Issues related to privacy, information leakage, denial of service are more suited to code review. Source code review is also good practice as you are finding issues early in the SDLC. Locating and fixing issues early in your SDLC makes it chepaer in terms of effort and cost to remediate. It also empowers developers to understand suecurity bugs at the source code level such that they may not repeat the same mistakes.