DEV Community

Tanya Janca for Microsoft Azure

Posted on • Updated on

Pushing Left, Like a Boss - Part 7: Code Review and Static Code Analysis

This series, and my blog, have moved! Check it out!

This article is about secure code review and static code analysis (SCA), also known as Static Application Security Testing (SAST).

Note: Some people refer to SCA at Static Composition Analysis, in which case they are referring to verifying that your dependencies are not known to be vulnerable. In this article I mean static code analysis.

When application security folks say 'static' analysis, we mean that we will look at written code, as opposed to 'dynamic', which means when your code is running on a web server.

I wasn't sure if I was going to cover this topic, even though I know code review is very important. I personally find code review very difficult; my attention span is short and I can be impatient at times (such as, for example, when I am awake). Code review demands both patience and intense concentration. That said, it's a highly valuable activity which can find a lot of security problems, far before you get to the testing or release stages, potentially saving both time and money.

Code Review can happening both during the coding and during the testing phases of the system development life cycle.

There are two options for doing code review; manual or with a tool. There are pros and cons to each.

Read the rest on my NEW blog!!

Discussion (0)