Secure Code Review

Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content


Creators:    Andrew Buttner

                    Mark Davidson

License:    Creative Commons: Attribution, Share-Alike


Class Prerequisites: Participants must have working knowledge and experience writing code and developing applications. A specific programming language is not required as the concepts that will be discussed are language independent. Completion of the Introduction to Secure Coding course is highly recommended.

Lab Requirements: none

Class Textbook: none

Recommended Class Duration: 1 day

Creators Available to Teach In-Person Classes: Yes

Author Comments:

This course is designed to help developers bring a secure coding mindset into typical project peer reviews. The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time. Throughout the course, the class will break out into pairs and perform example peer reviews on sample code. Perl will be used for the hands-on exercises; however every attempt will be made to generalize the code such that anyone with an understanding of a coding language will be comfortable.

Course Objectives

   * Understand how peer reviews fit into the software development process

   * Learn how to start a peer review and gain the necessary background about the code

   * Learn techniques for making sense of a large amount of code

   * Review common secure coding mistakes

   * Understand how to report findings back to the developer

Author Biography:

Andrew Buttner - Leads a software assurance group at MITRE specializing in secure code review. He has worked on improving application security for both MITRE and its customers since joining the organization in 2001. An expert in the field of source code weaknesses, Andrew is also involved in a number of research efforts related to secure software development and the level of confidence in resulting code.

Mark Davidson - Mark Davidson is an expert on cyber threat information exchange and is best known for authoring TAXII, a widely adopted exchange mechanism for cyber threat information. Mark also has skills in secure code review, open source software development, and standardization. Mark is always interested in research opportunities to further the state of the art in cyber.

Class Materials

All Slides (112 slides)

Revision History:

1-7-2015 - Initial class content upload

If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.