Developers · Information Security

Code Review Security

Jodson Leandro Programmer and Pentester

January 23rd, 2019

I was thinking about offer Code Review as a service, but I think the companies are not comfortable to share their source code. Someone knows a way to offer this kind of service?

Jodson Leandro Programmer and Pentester

January 25th, 2019

I am talking about make a code review about security issues. It is a different product, I don't think every programmer knows all vulnerabilities. So, it is important a security guy review his code to find those vulnerabilities.

Mark Marasch CEO Maraschino Services LLC, Program Manager, Entrepreneur

January 23rd, 2019

Hey, that's what we'd like to do for Ethical Developer Group. There could be a couple different levels of certification. One where the software is used in a controlled environment and we watch to see if it "calls home," and what data it is accessing. The other would be a full-up code review. Both would result in an appropriate level of certification that would make that software more valuable on the market, because customers would know that they are customers, rather than being the product.

Gandalf Farnam Founder & Architect @Treadsoft, Professional Optimizer

January 25th, 2019

You said "I think the companies are not comfortable". Is this your interpretation or have they actually told you this directly? The answer is important.

As for the actual service, I would never ask my developer to work with a third-party Code Reviewer! There would be no good reason for me to do it. Bad reasons include: I don't trust my developer or I don't think he's doing it right.

I wouldn't expect a Developer to invite someone to critique his code either. Some people would say that it shows humility to expose your work to criticism, but it seems like a nail asking for a hammer, if you ask me.

Besides, StackExchange has a whole community for code review, so why would I pay for it?

(I'm a novice programmer and I know enough to discuss it but I couldn't code my way out of a paper bag!)

Richard Esq. Strategic Advisor AquaComms Ldt

January 23rd, 2019

Escrow agent

Paul Garcia marketing exec & business advisor

January 24th, 2019

This is an extremely difficult service to deliver because it relies on understanding the developer mindset, having the developers annotate the code fully during development, and to understand why developers are making the choices they have made in writing code for the particular circumstance.

It's less likely a matter of protecting trade secrets and more likely that there is no one better to review code than the team working on it in the first place. Any edits you make or suggest will not be in the memory of the original programmer and therein cause difficulties in the future, finding or understanding elements that aren't behaving as expected.

Similar issues come up when a coding project is inherited and access to the original developers is no longer available. In some circumstances it even requires recoding from scratch as a result.

My suggestion is that you abandon the review service and consider writing snippets of useful code that can be licensed. Things that perform complex operations that would otherwise cost a lot of time for a development team to figure out. Take for example conversion to PDF. There are a ton of standards that the conversion code must follow, and for a software package that wants PDF output, the labor involved in learning, testing, and writing code for those standards is exorbitant in comparison to licensing the snippet/plug-in that does the PDF conversion work for them. I use this specific example because I did work for a company that sells such an API tool.