A process for performing security code reviews
No one really likes reviewing source code for security vulnerabilities; itís slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isnít an option.
I get to review quite a bit of codeónot as much as I used to, but enough to keep me busy helping teams at Microsoft. Sometimes people just want my take on small snippets of perhaps 100 lines of code, and other times I get hundreds of thousands of lines.
[ Read more ]