Code Review Methodology

While practicing performing code review, I have found there a good methodology is a cyclic process that repeats itself again and again. There are 3 steps:

  1. Planning

Planning Stage

This part of the process is fairly simple. The useful things to have at this stage is understanding what you know about the application. It is up to you how to organize this. These are some of the lists I like to keep:

  • List of use cases of the application.

The most important lists to work on are the list of possible attack vectors and what has been tested. This will ensure that your time spent will be productive.

The biggest goal of the planning process is picking an objective to complete. This will be the focus of the current cycle and will ensure you do not get stuck down rabbit holes. Here are some examples of goals:

  • Enumerate how the log in page works.

Reviewing Code

Find a starting point:
The first part of this stage is understanding where to find the relevant code. There are multiple ways to identifying where to find the relevant code. Here are some methods that I have found to be effective.

  1. Use key words from the application to identify files that may be relevant.

Reading the code:
This part will take a while. Depending on how proficient you are with the language, it may take some time to do this. Here are some tips on reviewing the code:

  • Google everything! This will make it easier for you to understand what is happening. Looking through documentation will really help.

Reviewing the process

After the code is reviewed, it is important to reconcile all the knowledge that has been gained. This includes things such as:

  • Understanding the structure of the files and functions.

Update all the information you have gained so that in the next planning phase, a strategy based on more information can be formed.

Here are some tips for the whole process:

  • The initial processes may not find much. This is because you need to grow your knowledge the application. After this phase, you will be able to craft slightly more complex attack vectors.

Thank you for reading, let me know if you have any ideas you can add to this.

--

--

Blogging

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store