SDL Crypto Code Review Macro

Posted on June 17, 2007 by Dragan Pleskonjic

Michael Howard’s talks about SDL Crypto Code Review at his blog. He says:

When I review code for security bugs I basically do the following:

1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.

Michael decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. You can read about it and donwload code at his Web log (here).

Share

About Dragan Pleskonjic

Chief Security Officer, University Lecturer, Entrepreneur, Security Researcher, Security Architect & Adviser, Software Development Manager. More info about Dragan Pleskonjic.
This entry was posted in Cryptography, Secure Programming, Tools and Utilities. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>