Code review—manual, automated, or a mixture of the two—can be initiated via an automated notification or by a human. Current best practices for performing robust and secure code review involve using manual and automated reviews together. This tandem approach catches the most potential issues.
Secure code review can occur at any time during the software development life cycle (SDLC), but it’s most impactful when performed earlier, because that’s when it’s easiest and fastest to make fixes to the code. In particular, using automated code review when developers are actually writing code allows for immediate changes as needed. Manual code review is very helpful when performed during the commit phase, or when a merge request is submitted to the repository. It also is a way to review code while taking into account business logic and developer intentions.
Automated review enables large codebases to be quickly and efficiently analyzed. Developers perform this review using either open source or commercial tools while they are coding, to help find vulnerabilities in real time. The most advanced development teams also include SAST tools, which can provide additional inputs, help find vulnerabilities, and enable developers to fix them before the code is checked in. The most successful development processes also involve developers performing their own self-reviews as they code.
Manual review involves a thorough review of the entire codebase by a senior or more experienced developer. This process can be extremely tedious and time-consuming, but it identifies flaws, such as business logic problems, that automated tools may miss. Layering in QA tests can help as well, but there are still scenarios that manual testing can miss. The best practice is a combination of automated and manual review.
Combining manual review with feedback from tools like SAST improves the overall security of the code being committed, and helps reduce the number of flaws that slip into production.