Edit

422.51 Code review

Improve software security and quality by systematically reviewing code before it is released.

Overview

Code review is the practice of examining source code to identify mistakes, inconsistencies, or vulnerabilities before the software is deployed. In secure development, code review plays a critical role in catching errors early, enforcing coding standards, and detecting security risks that automated tools might miss.

Code reviews are not just about fixing bugs—they help developers share knowledge, clarify intentions, and develop a deeper understanding of the system as a whole. They are essential for building secure, maintainable, and professional software.

Targets

In this topic, students learn to:

  • Explain the purpose and benefits of code review

  • Identify common issues found during a review

  • Apply structured review techniques in a team setting

  • Evaluate code for clarity, correctness, and security

Syllabus references

Secure software architecture

Developing secure code

  • Apply and evaluate strategies used by software developers to manage the security of programming code, including – code review

Why review code?

Even experienced developers make mistakes. Code reviews help catch:

  • Logic errors and off-by-one mistakes

  • Inconsistent naming or formatting

  • Misuse of functions or APIs

  • Missing input validation or error handling

  • Security vulnerabilities (e.g. hardcoded credentials, unsafe data processing)

They also help:

  • Ensure that code meets agreed-upon standards

  • Encourage shared ownership of the codebase

  • Reduce knowledge silos and improve maintainability

Review techniques

1. Peer review

One developer reviews another's code before it is merged. This is the most common practice in collaborative teams.

2. Walkthrough

The author presents their code to a group and explains their logic and decisions. The group asks questions and suggests improvements.

3. Tool-assisted review

Version control platforms (e.g. GitHub, GitLab) allow developers to comment on specific lines, suggest changes, and approve merges.

4. Checklist-based review

Reviewers follow a standard list of checks. For example:

  • Are inputs validated?

  • Are passwords or keys hardcoded?

  • Are exceptions handled securely?

  • Is the code modular and readable?

Best practices

  • Keep reviews focused—small pull requests are easier to evaluate

  • Use comments to ask questions or suggest improvements—not to criticise

  • Encourage explanations for complex logic

  • Use automation (linters, formatters) to handle low-level issues

  • Document decisions, not just changes

Example checklist (basic)

Check
Description

✅ Input validation

All user input is checked or sanitised

✅ Error handling

Exceptions are caught and logged appropriately

✅ Access control

Only authorised users can access sensitive functions

✅ Secure storage

No credentials or secrets are stored in plaintext

✅ Clarity

Code is easy to read and well-commented where needed

Summary

  • Code reviews improve code quality, maintainability, and security

  • They are a key defence against mistakes and oversights

  • Effective reviews are structured, respectful, and supported by tools

  • Secure software development depends on both automated and human review processes

Previous422.5 Code review and security testingNext422.52 SAST and DAST

Last updated

Was this helpful?