The goal of the review should be
- The code satisfies the requirements
- The code is robust (ie stable and should be descriptive in case of error)
- The code handles wrong inputs (SQL/XSS Injection!)
- The code is scalable
- The code is extensible and maintainable
Microsoft has a couple of checklists about these topics (unfortunately for .NET 1.1). Useful are: Securing ASP.NET, Security Review for Managed Code and Code Review for .NET Application Performance. And just found the guide for the .NET 2.0 version: How To: Perform a Security Code Review.
No comments:
Post a Comment