Select Page

Code review and testing

CISSP

Code review and testing are essential practices in the software development lifecycle, aimed at ensuring the quality, security, and functionality of the software. Here’s an overview of the key concepts related to code review and testing:

1. Code Review

  • Definition: Code review, also known as “peer review,” is the process where developers other than the one who wrote the code examine it for defects, ensuring that the code meets quality and security standards.
  • Importance: It is foundational to software assessment programs, helping to catch errors early in the development process and improving overall code quality.
  • Fagan Inspections: A formal, rigorous code review process that follows six structured steps:
    1. Planning: Preparing for the review by defining the objectives, scope, and participants.
    2. Overview: Providing an overview of the code and its functionality to the review team.
    3. Preparation: Reviewers individually examine the code and prepare for the inspection meeting.
    4. Inspection: A formal meeting where the code is examined in detail, and defects are identified.
    5. Rework: The developer addresses the defects identified during the inspection.
    6. Follow-up: Ensuring that all identified defects have been addressed and the code is ready for the next stage.

2. Code Coverage Report

  • Definition: A report that provides information on the extent to which the code has been tested. It typically covers functions, statements, branches, and conditions.
  • Purpose: Code coverage reports help assess the effectiveness of the testing process, indicating how much of the code has been executed during testing.

3. Use Cases in Testing

  • Definition: Use cases describe specific scenarios in which the software will be used, and they are used to guide testing efforts.
  • Test Coverage Calculation: The test coverage for use cases is calculated by dividing the number of tested use cases by the total number of use cases, providing a measure of how thoroughly the software has been tested.

4. Code Review Report

  • Definition: A report generated if the application’s source code is manually reviewed, documenting the findings and recommendations from the code review process.

5. Testing Types

  • Black-Box Testing:
    • Definition: Testing that focuses on the system’s external behavior without knowledge of the internal workings.
    • Purpose: To validate functionality against requirements without being influenced by the code’s internal structure.
  • White-Box Testing:
    • Definition: A detailed examination of the code’s logical paths, conditions, and internal structures. Requires access to the source code.
    • Purpose: To ensure that all possible paths and conditions are tested, identifying potential errors or vulnerabilities.
  • Dynamic Testing:
    • Definition: Testing that evaluates code in a runtime environment without requiring access to the source code.
    • Purpose: To assess the software’s behavior during execution, identifying runtime errors or issues.
  • Static Testing:
    • Definition: Involves analyzing the source code without executing it. This can include code analysis tools or manual code reviews.
    • Purpose: To detect potential errors, vulnerabilities, or non-compliance with coding standards before the code is run.
  • Regression Testing:
    • Definition: Ensures that new code changes do not negatively affect existing functionality. Typically involves automated tests that compare current results with previous ones.
    • Purpose: To verify that the system continues to function correctly after updates or modifications.
  • Non-Regression Testing:
    • Definition: Testing to confirm that the new or updated code works as intended.
    • Purpose: To ensure that the changes made to the code do not introduce new defects.
  • Integration Testing:
    • Definition: Focuses on testing the interactions and interfaces between different components or modules of the software.
    • Purpose: To identify bugs related to how components work together, rather than testing all individual functions.

6. Security and Vulnerability Management

  • CVE (Common Vulnerabilities and Exposures):
    • Definition: A dictionary of publicly known security vulnerabilities, maintained by MITRE.
    • Purpose: Provides a standardized way of identifying and referencing vulnerabilities.
  • CVSS (Common Vulnerability Scoring System):
    • Definition: A framework for rating the severity of security vulnerabilities based on metrics like exploitability, impact, and remediation effort.
    • Purpose: Helps prioritize vulnerabilities based on their risk level and impact.
  • NVD (National Vulnerability Database):
    • Definition: A database that contains information on vulnerabilities, including CVE identifiers and CVSS scores.
    • Purpose: A resource for security professionals to find detailed information on known vulnerabilities.

7. Compiled vs. Interpreted Code

  • Risk of Compiled Code: Compiled code poses a higher risk than interpreted code because malicious code can be embedded within the compiled binaries, making it more difficult to detect.
  • Security Implications: Special attention is required when dealing with compiled code to ensure that no malicious elements are present.

8. Code Comparison and Attack Surface

  • Code Comparison: Used to identify differences between versions of source code, helping to pinpoint changes that might introduce new bugs or security issues.
  • Attack Surface:
    • Definition: The total exposure of a system to potential attacks. It includes all the points where an unauthorized user could attempt to enter or extract data.
    • Purpose: Reducing the attack surface is a key objective in secure software design and testing.

Summary

  • Code Review: A critical step in ensuring code quality, with Fagan inspections being a highly structured approach.
  • Testing Types: Include black-box, white-box, dynamic, static, regression, non-regression, and integration testing, each focusing on different aspects of the software.
  • Security Considerations: Involve understanding vulnerabilities (CVE), scoring them (CVSS), and referencing reliable databases (NVD) to manage risks effectively.
  • Code Comparison: Useful for tracking changes and their potential impact, while managing the attack surface is essential for minimizing security risks.

Understanding and applying these principles helps in developing secure, reliable, and high-quality software that meets both functional and security requirements.

Latest Post:

Pin It on Pinterest