Code Review Process
Manually reviewing an entire organization's codebase efficiently is often impractical, unless the codebase is relatively small or the security team is unusually large. To avoid bottlenecks and ensure scalability, it’s important to define clear criteria for when and how manual code reviews should be conducted. For example, reviews can be prioritized for major or minor releases, while patch releases may be exempt. Alternatively, reviews could be triggered by the introduction of new features or scheduled at regular intervals.
Manual reviews should complement automated scanning, not duplicate it. Common vulnerabilities are typically covered by SAST scans and other automated tools. Therefore, manual efforts should focus on areas beyond the reach of static analysis—such as complex control flows, edge cases, and business logic vulnerabilities. This targeted approach ensures that manual reviews add meaningful value to the overall security assurance process.
Outcome
- There's a documented process for the code review and common topics to look for
- There's a process that outlines the requirements for a manual code review and this is enforced
Metrics
- Vulnerabilities found in code review
- Vulnerabilities found by severity
- Time to review code
Tools & Resources
- OWASP Application Security Verification Standard (Free)
- OWASP Cheat Sheet Series (Free)
- OWASP Mobile Application Security Checklist (Free)
- OWASP Web Security Testing Guide (Free)
- OWASP API Security Project (Free)