The Security Innovation Europe Blog

Why Organisations Need to Start Doing More Frequent Code Reviews

Posted by Alan Pearson on Feb 26, 2015

Software vulnerabilities are a fact of life, and it’s near impossible to eradicate all vulnerabilities from your code. As a result, the goal of developers, security professionals and business leaders alike is to minimise the impact these vulnerabilities can have.

The Escalating Costs of Software Vulnerabilities

The best way to reduce the damage and costs associated with software vulnerabilities is to catch them as early as possible. Frequent code reviews make it possible to inspect and analyse code throughout the software development lifecycle, and nip potential problems in the bud before they contribute to escalating costs.

Unfortunately, organisations often overlook code reviews because of the costs associated with performing them. A developer’s time and energy is a valuable commodity, and in many instances, it’s tempting to focus their efforts on development alone. Timely development and release becomes an organisation’s single priority; and security is viewed as an afterthought.

This is a short-sighted approach; and after software has been released, even the smallest of vulnerabilities can generate costs that grow at an exponential rate. To minimise the likelihood of a catastrophic bug emerging, it’s essential for organisations to be pro-active, and perform more frequent code reviews during the software development process.

Avoiding Development Bureaucracy

In order to reduce the likelihood of vulnerabilities, many organisations choose to hold weekly code review meetings. Whilst the comprehensive nature of formal review will offer results, it simply isn’t practical to use on a weekly basis. Organisations need to recognise the important trade-off between code quality and development efficiency.

Code review measures need to be prioritised. In the same way that occasional penetration testing needs to be used alongside regular static testing, the time- and labour-intensive nature of formal code review meetings needs to be balanced by less resource-intensive measures. In many instances, software vulnerabilities can be identified just as efficiently with an ongoing and less formal review process.

Weekly review meetings can also hinder a developer’s productivity.  Efficient and effective coding are two crucial tenets of software development, and waiting seven days for a code review meeting can prevent developers from continuing on with their project. If significant changes to the code are recommended as a result of the review, these developers will lose a full week’s worth of progress. 

Pair Programming

Many organisations choose to implement an ongoing process of code review known as pair programming. Before any code is integrated into the main body of the project, another developer is required to review and talk-through the work. By having two skilled developers working together, code can be reviewed in real-time, creating an immediate feedback loop in the process.

Despite the obvious benefits of pair programming, the idea of committing two developers to a single project can be difficult to sell internally.  However, whilst developers will be outputting less code than in a single developer model, organisations will see both improved code quality and reduced overheads from fewer formal meetings. With bugs spotted sooner than ever, and less time spent on remediation, pair programming is likely to boost overall productivity.

In order to demonstrate the value proposition of pair programming, it’s possible to introduce a second programmer on a rotational basis. Instead of committing permanent pairs of programmers to individual projects, a single developer can periodically review the other developers’ code. This allows an organisation to understand the impact full-time pair programming could have on application security and quality.

Frequent code reviews, and pair programming in particular, contribute towards a collaborative and security-aware working environment. As well as improving the quality of development projects, and significantly reducing the likelihood of expensive vulnerabilities and bugs, these practices will contribute hugely to a culture of effective security within your organisation.  biggest information security mistakes

start improving your application security (free whitepaper)

Popular Posts

Wait!

Was this article useful? Sign-up and we'll send you one like it every Monday.


No, I don't need to know more about security

© Copyright 2014 Security Innovation Europe Ltd. All rights reserved. A company registered in England & Wales. Registration number: 8321696.