Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort.

Manual security code review provides insight into the "real risk" associated with insecure code. This is the single most important value from a manual approach. A human reviewer can understand the context for certain coding practices, and make a serious risk estimate that accounts for both the likelihood of attack and the business impact of a breach.

Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be "self-defending" in its given environment.

Security code review is a method of assuring secure application developers are following secure development techniques. A general rule of thumb is that a penetration test should not discover any additional application vulnerabilities relating to the developed code after the application has undergone a proper security code review.


  • Security code review in the SDLC
  • Application Threat modelling
  • Authentication
  • Authorization
  • Session management
  • Input validation
  • Error handling
  • Secure application development
  • Cryptographic controls
  • Buffer over-runs
  • OS injection
  • SQL injection
  • Cross site scripting
  • Cross-site request forgery issues
  • Logging issues
  • Session integrity issues