Code Reviews James Walden Northern Kentucky University.

Slides:



Advertisements
Similar presentations
Configuration Management
Advertisements

1.Quality-“a characteristic or attribute of something.” As an attribute of an item, quality refers to measurable characteristics— things we are able to.
Damian Gordon.  Static Testing is the testing of a component or system at a specification or implementation level without execution of the software.
More CMM Part Two : Details.
Copyright (c) 2003 Howard E. Dow1 Results from Inspecting Test Automation Scripts Howie Dow
Code Reviews James Walden Northern Kentucky University.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Copyright © 1994 Carnegie Mellon University Disciplined Software Engineering - Lecture 1 1 Disciplined Software Engineering Lecture #7 Software Engineering.
Static Technique. Static Technique - Review  A way of testing software work products  Program code, requirement spec., design spec.  Test plan, test.
Inspection (c) 2007 Mauro Pezzè & Michal Young Ch 18, slide 1 Photo credit jurvetson on Flickr.com; creative commons attribution license.
Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.
Overview Lesson 10,11 - Software Quality Assurance
Software Quality Metrics
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
SE 555 Software Requirements & Specification Requirements Validation.
CSC 395 – Software Engineering Lecture 9: Testing -or- How I Stopped Worrying and Learned to Love the Bug.
 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.
Verification and Validation
1 Software Inspections and Walkthroughs Author: A. Frank Ackerman Presented by Cynthia Johnson EEL6883.
KENDA ALBERTSON Formal Peer Review Processes for Software and Documents.
SystematicSystematic process that translates quality policy into measurable objectives and requirements, and lays down a sequence of steps for realizing.
OHT 4.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Software Quality Chapter Software Quality  How can you tell if software has high quality?  How can we measure the quality of software?  How.
Software Inspections and Walkthroughs By. Adnan khan.
Article: Source Code Review Systems Author: Jason Remillard Presenter: Joe Borosky Class: Principles and Applications of Software Design Date: 11/2/2005.
SoITSSpecifications of IT systems? 1 Specifications of IT systems checking and validating Jens Bennedsen and Peter Gorm Larsen
Galin, SQA from theory to implementation © Pearson Education Limited 2004 Review objectives Formal design reviews (FDRs) Participants Preparations The.
Software Reviews. Introduction/Motivation When creating written documents, it is a good idea to have someone else proof read your work. Oftentimes an.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 10: Testing and Inspecting to Ensure High Quality Part 4:
Software Inspections. Defect Removal Efficiency The number of defects found prior to releasing a product divided by The number of defects found prior.
© Mahindra Satyam 2009 Defect Management and Prevention QMS Training.
Phil Cronin Anne Hill Allen Schones CIS841 Summer on Campus 1998 IN-PROCESS INSPECTIONS FOR OBJECT ORIENTED DESIGNS.
Team Assignment 15 Team 04 Class K15T2. Agenda 1. Introduction 2. Measurement process 3. GQM 4. Strength Weakness of metrics.
Disciplined Software Engineering Lecture #7 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department.
© 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley 1 Product Design Finalization; Inspections.
Formal Technical Reviews Matt Graham 18 November 2004 EECS 814 University of Kansas.
Process Improvement. Improving the Test Process In the Software V&V course, Prof. Uwe asked the question: How to improve the Testing Process?
From Quality Control to Quality Assurance…and Beyond Alan Page Microsoft.
Jump to first page (C) 1998, Arun Lakhotia 1 Quality Assurance: Reviews and Walkthroughs Arun Lakhotia University of Southwestern Louisiana Po Box
Copyright © 1994 Carnegie Mellon University Disciplined Software Engineering - Lecture 7 1 Design and Code Reviews - Overview What are design and code.
Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Chapter 19 Verification and Validation.
Static Analysis James Walden Northern Kentucky University.
Software Development Quality Practices Code Reviews Inspections Walkthroughs.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Code review. informal formal ad hoc reviewpair programmingwalk throughinspection/review.
Chapter 12: Software Inspection Omar Meqdadi SE 3860 Lecture 12 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
1 One Last Book, One Last Topic Code reviews / software inspections.
INFO 637Lecture #71 Software Engineering Process II Product Implementation INFO 637 Glenn Booker.
Software Engineering Modern Approaches Eric Braude and Michael Bernstein 1.
© Michael Crosby and Charles Sacker, 2001 Systematic Software Reviews Software reviews are a “quality improvement process for written material”.
Software Engineering Lecture 8: Quality Assurance.
Testing and Debugging. Testing Fundamentals  Test as you develop Easier to find bugs early rather than later Prototyping helps identify problems early.
Reviews Chapter 5 Applied Software Project Management, Stellman & Greene See also:
DevCOP: A Software Certificate Management System for Eclipse Mark Sherriff and Laurie Williams North Carolina State University ISSRE ’06 November 10, 2006.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
Configuration Management
Software Project Configuration Management
Software Quality Control and Quality Assurance: Introduction
Software Configuration Management (SCM)
Peer Review and Testing
CSC 480 Software Engineering
Verification and Validation
Quality Measurable characteristic Cyclomatic complexity Cohesion
Applied Software Project Management
QA Reviews Lecture # 6.
White Box testing & Inspections
Code Reviews Assignment Each team should perform a code review
Software Reviews.
Presentation transcript:

Code Reviews James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Topics 1.Types of Reviews 2.Code Review Process 3.Checklists 4.Prioritizing Code to Review

CSC 666: Secure Software Engineering Code Reviews Inspection of source code by one or more people who aren’t the author of the code.  Goal: Identify defects for later removal.  People: Moderator, reviewers.  Scope: Module or small set of classes.  Time: 1-2 hours; <1kloc

CSC 666: Secure Software Engineering Benefits of Code Reviews 1.Find defects sooner in the lifecycle. (IBM finds 82% of defects before testing.) 2.Find defects with less effort than testing. (IBM—rev: 3.5 hrs/defect, test: hrs/defect.) 3.Find different defects than testing. (Can identify design and requirements problems too.) 4.Educate developers about security bugs. (Developers frequently make the same mistakes.)

CSC 666: Secure Software Engineering PCI DSS b Obtain and review policies to confirm that all custom application code changes for web applications must be reviewed (using either manual or automated processes) as follows: ƒ Code changes are reviewed by individuals other then the originating code author, and by individuals who are knowledgeable in code revie techniques and secure coding practices. ƒ Code reviews ensure code is developed accordin to secure coding guidelines such as the Open Web Security Project Guide (see PCI DSS Requirement 6.5). ƒ Appropriate corrections are implemented prior to release. ƒ Code review results are reviewed and approved by management prior to release.

CSC 666: Secure Software Engineering Inspections  Most formal process.  Thorough coverage with separated roles.  Use checklists to focus on specified goals.  Collect metrics to track defects.  Determine whether further inspections of revised software needed at end of meeting.  Extensive documentation of effectiveness.  One study found defects/kloc with inspections compared with 3 defects/kloc in informal walkthrough.

CSC 666: Secure Software Engineering Roles in Reviews 1.Moderator Manages meeting; follows up on issues. 2.Reader Paraphrases code during meeting. Not the author. 3.Recorder Records bugs discovered. 4.Author Provides context for code; answers questions. Makes corrections after code review.

CSC 666: Secure Software Engineering Walkthroughs  Less formal process.  Author leads meeting and describes code.  Focus on author needs, not quality goals.  No checklists used or metrics gathered.  Quality varies widely.  Walkthrough quality depends solely on author.  Useful for educating developers about code, provide high level view of design and defects.

CSC 666: Secure Software Engineering Code Review Process Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator

CSC 666: Secure Software Engineering Planning 1.Author initiates Planning once code ready. 2.A Moderator is assigned to inspection. 3.Author and Moderator assemble inspection pkg. 4.Moderator identifies other participants. Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator

CSC 666: Secure Software Engineering Preparation 1.Reviewers examine inspection package. 2.Reviewers use checklists and analysis tools. 3.Reviewers mark bugs found. Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator

CSC 666: Secure Software Engineering Meeting 1.Reader describes code in own words. 2.Reviewers comment and ask questions. 3.Recorder notes all potential bugs, suggestions. 4.Team appraises code at meeting conclusion. Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator

CSC 666: Secure Software Engineering Rework Author addresses issues recorded at meeting. Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator

CSC 666: Secure Software Engineering Follow-up 1.Moderator meets with Author about rework. 2.Moderator verifies all changes made correctly. 3.Author checks in corrected code. Planning Author Moderator Prep Everyone Meeting Everyone Rework Author Follow-up Author Moderator

CSC 666: Secure Software Engineering Formality Spectrum ReviewPlanningPrepMeetingReworkFollowup InspectionYes Team ReviewYes No WalkthroughYesNoYes No Pair Programming YesNoCon- tinuous Yes Peer Deskcheck NoYesPossiblyYesNo Ad Hoc Review No Yes No

CSC 666: Secure Software Engineering Code Review Tips 1.Know your limits. Typical review speed is lines/hour. Limit meeting length to 1-2 hours. 2.Know what bugs to look for. Checklists Static analysis tools 3.Use tools. Simple tools: grep, findstr Code viewers Static analysis tools 4.Require preparation before the meeting.

CSC 666: Secure Software Engineering Checklists Security reviews should include checklists of common problems, including: 1.SQL injection 2.Cross-site scripting 3.Input validation bugs 4.Checking return values 5.Resource name canonicalization 6.Race conditions

CSC 666: Secure Software Engineering Code Review Problems 1.Requires substantial expertise in area of programming and security to be effective. 2.Human readers are fallible and will miss mistakes. 3.Code reviews are slow. Unreviewed legacy code will take time to review.

CSC 666: Secure Software Engineering Prioritizing Code If you can’t review everything, review  Code that runs with privileged mode.  Code that listens on globally accessible sockets.  Code that is accessible w/o authentication.  Code with a history of vulnerabilities.  Code that handles sensitive data.  Complex code.  Code that changes frequently.

CSC 666: Secure Software Engineering Reviewing for SQL Injection

CSC 666: Secure Software Engineering Ex: Zune infinite loop on 12/31/08 year = 1980; while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } } else { days -= 365; year += 1; } }

CSC 666: Secure Software Engineering Key Points  Roles  Moderator  Reader  Recorder  Author  Process  Planning  Preparation  Meeting  Re-work  Followup

CSC 666: Secure Software Engineering References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, Michael Howard, “A Process for Performing Security Code Reviews.” IEEE Security & Privacy, July Eoin Keary et. al., OWASP Code Review Guide 1.1, de_Review_Project, de_Review_Project 4.Steve McConnell, Code Complete, 2/e, Microsoft Press, Gary McGraw, Software Security, Addison-Wesley, PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, Karl Wiegers, Peer Reviews in Software, Addison- Wesley, 2002.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.