This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Code Review Metrics"
| Line 13: | Line 13: | ||
| − | #Fault Density | + | #Fault Density: |
| + | ## per Lines of code (LOC) | ||
| + | The count of executable lines of code. Commented-out code or spaces don't count. | ||
| + | |||
| + | ## per Function Point: | ||
| + | The combination of a number of statememts which e perform a specific task. | ||
| + | |||
#Risk Density | #Risk Density | ||
#Defect correction rate | #Defect correction rate | ||
Revision as of 17:22, 28 May 2008
Introduction
The objective of code review is to detect development errors which may cause vulnerabilities and hence give rise to an exploit. Code review can also be used to measure the progress of a development team in their practice of secure application development. It can pinpoint areas where the development practice is weak, areas where secure development practice is strong and give a security practitioner the ability to address the root cause of the weaknesses within a developed solution.
Metrics can also be taken relating to the performance of the code reviewers and the accuracy of the review process.
Secure Development Metrics
- Fault Density:
- per Lines of code (LOC)
The count of executable lines of code. Commented-out code or spaces don't count.
- per Function Point:
The combination of a number of statememts which e perform a specific task.
- Risk Density
- Defect correction rate
- Path complexity/complexity-to-defect/cyclomatic complexity
Review Process Metrics
- Inspection Rate
- Defect detection Rate
- Code Coverage
