Code Review

Posted on November 11, 2012. Filed under: java/j2EE |


 

Code review can be simply conducted by searching for keywords that reveals complexity in the code. For example, the following linux command recursively searches files in the current directory and subdirectories for keywords “todo”, “fixme”, “xxx”, once found, print the line with the line number in the file:

grep -r -i -n “todo\|fixme\|xxx\|important” .

The equivelant command in windows is:

findstr /S /I /N /C:”todo fixme xxx” /D:. *

Eclipse automatically do the keyword search for us, it searches keywords “TODO”, “FIXME” and “XXX” in the comments string and put the corresponding findings in the Tasks View. To configure Tasks View, go to Windows -> Preference -> Java -> Compiler -> Task.

Code review can also be conducted by using automated static analysis tools such as FindBugs, which is capable of identifying common security defects automatically. Developers should have these static analysis tools running  with their IDE. Before they check in any code into the version control system, they should use the static analysis tool to find any security issues in their code. Additionally, the static analysis tool should be integrated into the automated build system such as Ant and Maven.

Like any tools, the static analysis tool can automate and optimize the code review process but cannot replace skilled human reviewer. The tools find many false positives and the false negatives, they also cannot find flaws associated with architecture and security requirements.

Both development team and security team should conduct code review. The best way is to have development team runs static analysis tool regally  in order to find easy to fix security bugs; while have the security team manually review the code with the help of static analysis tools less frequently, in order to find harder to detect security flaws and high-level security concerns. At minimum, the security team should conduct a thorough code review for every major release.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: