Security code review is an automated and manual review of source code with the developers to identify source code-level issues that may enable an attacker to compromise an application, system, or business functionality. A secure code review focuses on seven security mechanisms, or areas including Authentication, Authorization, Session management, Data validation, Error handling, Logging and Encryption.

Key security code activities include:

• Product and Code overview; understand key security functions
• Automated static code analysis
• Leveraging threat model and SSP to understand which portions of the code should be manually reviewed
• Manual security code review with an emphasis on the construct and design logic responsible for achieving relevant security objectives
• Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap.