P.4.1 Security code review

Control Details

Objective

Detect security vulnerabilities introduced during architecture, design, and source code creation including those injected with malicious intent

Definition

Perform peer code review on in-house developed code, AI-generated code, and some third-party code based on the organization’s secure coding standards. Create and use review checklists that may be informed by 'Top N' vulnerability lists. While the manual review of another programmer before check-in is essential for finding vulnerabilities injected with malicious intent, supplementing code review with automated tools, such as static analysis tools, is beneficial. Record and triage discovered issues and recommended remediations in the development team’s workflow or issue-tracking system.

Assessment Questions

1. How does the team perform security-related code reviews?
2. Describe the secure coding standards your teams use, if any.
3. How do discovered vulnerabilities get recorded, tracked, and remediated?

Reference sources

1. EO 4e(iv) 4e(v)
2. SSDF PW.7.2
3. SSDF-AI PW.7.2
4. SLSA Source L4: Two-party review
5. BSIMM CR1.2 CR1.4 CR2.8 CR2.6 CR2.7 CR3.4 CR3.5
6. OSSF-Scorecard code-review
7. CNCF-SSC C: Enforce independent 2-party review
8. Self-attestation 4
9. SAMM V-ST-3-B V-ST-3-A
10. OSPS OSPS-QA-03 OSPS-QA-06 OSPS-VM-05 OSPS-VM-06