Streamlining security code reviews

This is great:

From: http://blogs.msdn.com/alikl/archive/2008/01/24/security-code-review-use-visual-studio-bookmarks-to-capture-security-findings.aspx

Security Code Review – Use Visual Studio Bookmarks To Capture Security Findings


How to streamline the process of capturing security flaws during security code review? How to save time and avoid switching between the tools? How to stay focused?

In this post I will show my simple technique to capture security flaws using Bookmarks in Visual Studio.

Create bookmark folders. Hit Ctrl + K and then Ctrl + W to bring Bookmarks window up.  Create 10 folders according to security frame categories:

clip_image002

Focus on one category. Grab security checklist document you created using Guidance Explorer. Choose one category from the security frame, Authentication for example, and inspect the code manually. Do not pay attention to anything else on your way but Authentication issues. One category a time.

Bookmark security bugs. Once you find security bug hit Ctrl + K and then Ctrl +K again. You just created the bookmark. Drag it into the appropriate folder in Bookmarks window. Move on. When you finish the inspection using your checklist you should have something like this:

clip_image001

Copy to the report in one run. Just run through the bookmarks and paste the findings to your final report. One run. Mechanical work. Done. Peace of mind.