270 Core Software Security
also be efficient, elegant, and maintainable, these are very expensive. And
there are very few such “code gurus” from which to draw. Making use of
these experts may be very valuable for critical code, but it is infeasible for
most projects in most organizations. What is feasible is to complement
several different approaches, some targeted assurance, some broad, both
manual and automated. A methodology that maximizes the complemen-
tary nature of approaches has proven to find the broadest level of defects
while also being scalable.
To maximize manual code review, for the large amount of grunt,
well-understood, typical code that must surround the critical pieces
and the proprietary business logic modules, it’s probably sufficient for
most organizations to use peer review. Manual peer code review is when
one or more of the coder’s peers reviews code before commit for build.
Members of the same development team will likely be familiar with what
was intended by the code, the environment in which the code will run,
and the general architecture of the project. It should therefore not be too
difficult for them to understand and comment constructively. For code
that is not too complex, such as routines that call a broadly understood
API, a single reviewer may be sufficient. For more complex code, multiple
reviewers may be employed. In fact, one of the soft benefits from a strong
peer review program is the trust that members of the team develop in
each other. Further, reviewers will become backups to the coder so that
no single person becomes indispensable. On one team, the coders came
to trust each other so much that they would often ask for three or four
reviewers on their code; the resulting code was much more correct and
efficient than it had been previous to this team code review. If the team
is sufficiently skilled by themselves, peer review may be adequate for even
critical or highly sensitive algorithms.
Typically, however, especially at fast-moving organizations where
there may be movement between teams or even periods of turnover, peer
review will be insufficient for critical code. The worst situation is where
a junior programmer shows her or his code to another junior program-
mer who looks at it and replies, “Your code looks just like mine. Pass.”
Inexperienced coders are not going to find many sophisticated errors. Still,
one of the more interesting code review processes we’ve seen involved a
junior reviewer explaining code to a very senior developer.* While this
* Instituted by Joe Hildebrand, CTO of Jabber, Inc.