Back to Security Assessment and Testing

Code Review

5 minutes 5 Questions

Code review is the process of manually examining an application's source code to identify potential vulnerabilities or bugs that could be exploited by an attacker. This is a crucial component of any application's security assessment and can help organizations identify and remediate issues at the code level, reducing the risk of vulnerabilities making their way into production environments. During a code review, a reviewer (usually another developer or a security professional) will examine the code for common coding mistakes, adherence to coding standards, and potential vulnerabilities. The goal is to ensure that the code maintains a high level of quality and security while minimizing the chances of introducing exploitable flaws. Automated code review tools can also be used to identify potential issues in the code.

Guide: Code Review for CISSP Security Assessment and Testing

What is Code Review and Why is It Important?
Code Review is a systematic examination of computer source code. It is done to find and fix mistakes overlooked in the initial development phase, improving both the overall quality of software and the developers' skills. Code Reviews are considered as one of the best practices in software development as they provide numerous benefits such as error detection, design improvements, maintenance of code style and standards, and team collaboration.

How Does Code Review Work?
Code Review works by having additional eyes to look at the code, usually with the help of a code review tool, which simplifies the process. The typical process involves: 1) Author writes and tests code, 2) Author submits code for review, 3) Reviewers review the code and provide feedback, 4) Author makes changes based on feedback, 5) Repeat steps 3 and 4 until all concerns have been addressed, 6) Code is merged with the main branch.

Exam Tips: Answering Questions on Code Review
When answering questions on Code Review, it would be good to keep in mind its importance and benefits such as error detection, design improvements, etc. Understand the process thoroughly - how it starts with the author, goes to the reviewers and then gets back to the author. Best practices can also be often tested - which involves careful planning and having the process clearly defined and communicated. Remember to think from an industrial standpoint, rather than an academic view.

Test mode:
Start practice test
CISSP - Security Assessment and Testing Example Questions

Test your knowledge of Amazon Simple Storage Service (S3)

Question 1

During a code review, a chunk of code responsible for the application's login function appeared not to have been tested. The developer informs you that they didn’t have enough time for thorough testing. What should be your reaction?

Correct Answer: The code should not be merged into the main code base until it has been thoroughly tested.

The code responsible for a critical function like login should be thoroughly tested before it is merged into the main code base. This is to ensure that it works as expected and does not introduce new issues or vulnerabilities that could impact the security or functionality of the application. Merging the code and testing it in production, skipping the tests for the next code review or just skimming through the testing can potentially lead to significant problems, including bugs, data breaches or even downtime of the application. Therefore, the other answers recommend approaches that should not be taken in a professional software development setup, as they do not adhere to best practices in software testing and quality assurance.

Question 2

During a code review, you come across a function with a significant number of comments stating the code is complex and hard to understand. What is the recommended solution?

Correct Answer: Refactor the code to improve readability and maintainability

Refactoring the code to enhance its readability and maintainability is the best course of action. Other options either avoid the primary issue or neglect the consequences of poor code quality.

Question 3

While reviewing code, you notice a function that accesses private user data. What is the best practice in this scenario?

Correct Answer: Ensure the function properly implements access controls and data protection measures

It is crucial to pay attention to access controls and data protection measures when dealing with private user data. Ignoring these measures or implementing improper actions puts users at risk and undermines security.

Go Premium

CISSP Preparation Package (2024)

  • 4537 Superior-grade CISSP practice questions.
  • Accelerated Mastery: Deep dive into critical topics to fast-track your mastery.
  • Unlock Effortless CISSP preparation: 5 full exams.
  • 100% Satisfaction Guaranteed: Full refund with no questions if unsatisfied.
  • Bonus: If you upgrade now you get upgraded access to all courses
  • Risk-Free Decision: Start with a 7-day free trial - get premium features at no cost!
More Code Review questions
21 questions (total)
Start 21 question test