Nocturn vision » Blog Archive » Code-review with NDepend. A friend of mine asked me about some tips ‘n tricks to apply when performing a code review on an application.
It got me thinking and I had a few things to say, especially about NDepend, so why not sum them up in a post? The context of this post:You’ve got an application that is very important to you, but has some issues. You can’t get a stable version, you’re having performance problems, you’re getting lots of complaints, ……. Warnings:I’m not going to get into details about how to get started with NDepend. My goal is to show you how I would use it to perform a code review.
Tools that can help during code-reviews There are several ways to do a code review, there also are several tools that aid to the analysis of existing code. It’s not my intention to do an NDepend vs FxCop comparison-battle, so I’m just going to stop here. First things first Define and understand what the product is for. What are the problems with it now? Overall approach of the project What about layering? Testing Roundup. C# code review checklist - Ted Graham on .NET. My current client uses PSP extensively, so I've been putting together a checklist for reviewing C# code for use on our new project.
Your comments or additions appreciated: Are exceptions used to indicate error rather than returning status or error codes? Are all classes and public methods commented with .NET style comments? Note that <summary> comments should discuss the "what" of public methods. Discussion of "how" should be in <remarks> blocks or in-line with the code in question. References: Juval Lowy, "Programming .NET Components" Jeffrey Richter, "Applied Microsoft .NET Framework Programming" Checklist: Architecture and Design Review. Improving Web Application Security: Threats and Countermeasures J.D.
Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan Microsoft Corporation Published: June 2003 Applies to: Web Applications ASP.NET version 1.1 .NET Framework version 1.1 See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources. See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures. Summary: Architecture and Design Review Checklist covers aspects of the architecture and design stages of the project life cycle, including: input validation, authentication, authorization, configuration management, sensitive data, session management, cryptography, parameter manipulation, exception management, and auditing and logging.
Contents How to Use This Checklist Deployment and Infrastructure Considerations Application Architecture and Design Considerations Cryptography. Scrum Checklists. Code Reviews: Find and Fix Vulnerabilities Before Your Applicati. Code Reviews Find and Fix Vulnerabilities Before Your Application Ships Michal Chmielewski and Neill Clift and Sergiusz Fonrobert and Tomasz Ostwald In software development, a small coding error can result in a critical vulnerability that ends up compromising the security of an entire system or network.
Many times, a security vulnerability is not caused by a single error, however, but rather by a sequence of errors that occur during the course of the development cycle: a coding error is introduced, it goes undetected during the testing phases, and available defense mechanisms do not stop a successful attack. Security must be a priority in all phases of software development. Figure 1 The Security Development Lifecycle (Click the image for a larger view) In this article we will discuss manual security code reviews performed by developers or security experts. Software Security Vulnerabilities Vulnerabilities are not limited to code. Finding Coding Errors The Code Review Process Security Resources.