This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Automated Code Review

Revision as of 11:50, 28 June 2006 by Jwalden (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
OWASP Code Review Guide Table of Contents


While manual code reviews can find security flaws in code, they suffer from two problems. Manual code reviews are slow, covering 100-200 lines per hour on average. Also, there are hundreds of security flaws to look for in code, while humans can only keep about seven items in memory at once. Source code analysis tools can search a program for hundreds of different security flaws at once at a rate far greater than any human can review code. However, these tools don't eliminate the need for a human reviewer, as they produce both false positive and false negative results.