Secure Code Review
Creators: Andrew Buttner
Mark Davidson
License: Creative Commons: Attribution, Share-Alike
(http://creativecommons.org/licenses/by-sa/3.0/)
Class Prerequisites: Participants must have working knowledge and experience writing code and developing applications. A specific programming language is not required as the concepts that will be discussed are language independent. Completion of the Introduction to Secure Coding course is highly recommended.
Lab Requirements: none
Class Textbook: none
Recommended Class Duration: 1 day
Creators Available to Teach In-Person Classes: Yes
Author Comments:
This course is designed to help developers bring a secure coding mindset into typical project peer reviews. The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time. Throughout the course, the class will break out into pairs and perform example peer reviews on sample code. Perl will be used for the hands-on exercises; however every attempt will be made to generalize the code such that anyone with an understanding of a coding language will be comfortable.
Course Objectives
* Understand how peer reviews fit into the software development process
* Learn how to start a peer review and gain the necessary background about the code
* Learn techniques for making sense of a large amount of code
* Review common secure coding mistakes
* Understand how to report findings back to the developer
Author Biography:
Andrew Buttner - Leads a software assurance group at MITRE specializing in secure code review. He has worked on improving application security for both MITRE and its customers since joining the organization in 2001. An expert in the field of source code weaknesses, Andrew is also involved in a number of research efforts related to secure software development and the level of confidence in resulting code.
Mark Davidson - Mark Davidson is an expert on cyber threat information exchange and is best known for authoring TAXII, a widely adopted exchange mechanism for cyber threat information. Mark also has skills in secure code review, open source software development, and standardization. Mark is always interested in research opportunities to further the state of the art in cyber.
Class Materials
Revision History:
1-7-2015 - Initial class content upload
If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.
