SEC11-BP04 Manual code reviews
Perform a manual code review of the software that you produce. This process helps verify that the person who wrote the code is not the only one checking the code quality.
Desired outcome: Including a manual code review step during development increases the quality of the software being written, helps upskill less experienced members of the team, and provides an opportunity to identify places where automation can be used. Manual code reviews can be supported by automated tools and testing.
Common anti-patterns:
-
Not performing reviews of code before deployment.
-
Having the same person write and review the code.
-
Not using automation to assist or orchestrate code reviews.
-
Not training builders on application security before they review code.
Benefits of establishing this best practice:
-
Increased code quality.
-
Increased consistency of code development through reuse of common approaches.
-
Reduction in the number of issues discovered during penetration testing and later stages.
-
Improved knowledge transfer within the team.
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
The review step should be implemented as part of the overall code management flow. The specifics depend on the approach used for branching, pull-requests, and merging. You might be using AWS CodeCommit or third-party solutions such as GitHub, GitLab, or Bitbucket. Whatever method you use, it’s important to verify that your processes require the review of code before it’s deployed in a production environment. Using tools such as Amazon CodeGuru Reviewer can make it easier to orchestrate the code review process.
Implementation steps
-
Implement a manual review step as part of your code management flow and perform this review before proceeding.
-
Consider Amazon CodeGuru Reviewer
for managing and assisting in code reviews. -
Implement an approval flow that requires a code review being completed before code can progress to the next stage.
-
Verify there is a process to identify issues being found during manual code reviews that could be detected automatically.
-
Integrate the manual code review step in a way that aligns with your code development practices.
Resources
Related best practices:
Related documents:
Related videos:
Related examples: