A properly conducted code review can do more for the security of your application than nearly any
other step. A large numbers of bugs can be found and fixed before the code makes it into an official
build or into the hands of the test team.
Additionally the code review process lends itself very well to sharing security best practices amongst a development team and it produces ‘lessons’ that can be learned from in order to prevent future bugs. Code review is an ongoing process that, ideally, should occur with every code check-in. The cost of high security is eternal vigilance!
The code review approach presented here focuses first on identifying the types of issues that you should look for in the code being reviewed, and then on finding these bugs as quickly and effectively as possible. You will use threat models, architecture diagrams and other inputs in order to guide your review and then can use the list of discovered vulnerabilities to guide future reviews as well as for developer training.