1. Benefiting from Code Inspections Kevin W. Wall 2009-04-29 Copyright © – Kevin W. Wall – Some Rights Reserved. This work is made available and licensed under the Creative Commons® Attribution-ShareAlike 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/

2. Who is this stranger and why is he here? BS in physics/math; MS in CIS 30 yrs in IT (17 - Bell Labs, 3 - independent consultant, 10 - Qwest) and way-too-many code inspections Last 10 yrs in computer security, where as team lead, I've mandated code reviews

3. Agenda Terminology Goals of Code Inspections Benefits of Code Inspections Code Inspection Roles Inspection Process Pragmatic Tips Why Inspections Fail Variation: Security Code Inspections

4. Terminology Fagan inspections Inspection vs. review vs. walk-through Entrance criteria Exit criteria

5. Goals of Code Inspections Identify defects Improve code maintainability Ensure conformance  To design  To coding standards  To security policies

6. Benefits of Code Inspections Improved efficiency at defect removal More readable code Mentoring / training opportunities Learn strengths / weaknesses of individual developers Ensure policy conformance

7. Code Inspection Roles Moderator – 1 Author(s) – 1 or more Reader – 1 Recorder / scribe – 1 Inspector(s) – multiple

8. Inspection Process Planning Overview meeting Preparation Inspection meeting Rework Follow-up PlanningOverviewPreparationMeetingReworkFollow-up

9. Example of Forms Used in Code Review (1 of 2)

10. Example of Forms Used in Code Review (2 of 2)

11. Pragmatic Tips Get management buy-in Moderator must maintain control Keep review team sizes small Ensure adequate preparation Use tool support, especially in preparation step Have something to review the code against Don't rush to completion Be smart in what & how you inspect Do what works

12. Why Inspections Fail (1 of 2) No management buy-in  Too expensive; not enough time in the schedule  No obvious / apparent ROI  Quality control issues: Procrastination: “Never time to do it right, but always time to do it over.” Advanced lip-service: QC is just a check-box. Misunderstanding your customers (business says everything is time-to-market driven so “schedule is king”)

13. Why Inspections Fail (2 of 2) Developer feuds  No defined process  What are we inspecting against?  Fear of criticism / peer review  Religious wars  Moderator fails to maintain control

14. Variation: Security Code Inspections Goal: Find potential vulnerabilities in source code without inspecting all source How?  Use tool assistance (e.g., security code scanners like flawfinder, RATS, ITS4, etc.)  Go after the low hanging fruit: Focus on high risk components

15. Identifying High Risk Components Those with history of vulnerabilities or high bug rate Examine where data flows across trust boundaries Those with broadest attack surface  Attack surface: Set of (possibly unintended) functionality available to potential attackers  Input parameters, services used, foreign databases or files, unrestricted directories, environment variables, protocols, etc.

16. Questions??? (If you think of something later, OK to email me.)