A Secure Code Review Retrospective

We discuss in this paper a process used at The MITRE Corporation for reviewing source code to identify security weaknesses. A key tenant of our process is that secure code review should not be done by the developers of the code, but by a separate code review team of seasoned individuals that leverage a combination of analytical methods. This paper describes MITRE’s recommended practices for secure code review and provides some lessons learned from reflecting on over 300 such engagements since 2009.