Perform Security Review

Perform security-focused review of all deliverables, including, for example, design, source code, software release, and documentation. Include reviewers who did not produce the deliverable being reviewed.

Description

Manual review of software development deliverables augments software testing and tool verification. During review, the team applies its domain knowledge, expertise, and creativity explicitly to verification rather than implementation. Non-author reviewers, e.g. teammates, reviewers from outside the team, or security experts, may catch otherwise overlooked security issues.

Practice Implementation Questions

Each of the following questions applies to the decision to:

• change code, configuration, or documentation
• include a (revised) component the project
• release the (revised) software built by the project

1. Does the project use a scheme for identifying and ranking security-critical components?
2. Is the scheme used to prioritize review of components?
3. Are the project’s standards documents considered when making the decision?
4. Are the project’s technical stack requirements considered when making the decision?
5. Are the project’s security requirements considered when making the decision?
6. Are the project’s threat models considered when making the decision?
7. Are the project’s security test results considered when making the decision?
8. Are the project’s security tool outputs considered when making the decision?
9. Are changes to the project’s documentation considered when making the decision?

Keywords

architecture analysis, attack surface, bug bar, code review, denial of service, design review, elevation of privilege, information disclosure, quality gate, release gate, repudiation, review, security design review, security risk assessment, spoofing, tampering, STRIDE

Links

OWASP Perform source-level security review BSIMM CR1.5 Make code review mandatory for all projects.