A Case Study - Selecting a Code Review Approach

Abstract

This case study from company ABC will analyze and identify an approach to develop and maintain secure systems and applications, including selecting suitable static-analysis code scanning tools for application development. ABC is planning an enterprise data protection approach and protects data across the information life cycle. ABC acknowledges that secure development will take a long time to implement, partly based on expensive and time-consuming manual code reviews. ABC is selecting a solution including code reviews and scanning of internal code non-web applications. ABC also identified a long term project that will include penetration testing and scanning and review of the web application code base. This article is based on a project case study in protecting an enterprise application that are not web related. Extending the code reviews into the non-web applications, we also briefly discuss other types of protections. An effective code-scanning tool would definitely be useful in ABC development. Being a security oriented organization, it's very important to minimize the number of bugs. The use of code scanning tools is also mandated by Microsoft's SDL. No matter what tool used, this should be accompanied with code reviews, appropriate testing including such as fuzzy testing, code standards that are followed, and proper education. No matter what tool configuration selected, manual code reviews, education, coding standards and proper testing must also be applied.