Manual code reviews

PostedNovember 29, 2024

UpdatedNovember 29, 2024

ByKevin McCaffrey

Performing manual code reviews is a critical practice in ensuring the quality and security of the software you produce. Manual code reviews provide an opportunity to identify potential issues, such as security vulnerabilities, logic flaws, or coding standard violations, that automated tools might miss. By involving multiple reviewers in the process, code reviews help maintain consistency, share knowledge across the team, and verify that best practices are followed.

Establish code review guidelines: Develop clear guidelines for code reviews, specifying the types of issues to look for, such as security vulnerabilities, logic errors, coding standard violations, and performance concerns. The guidelines should also define the scope of reviews, the review process, and expected outcomes. Standardized guidelines help reviewers understand their responsibilities and provide a consistent basis for evaluating code.
Enforce peer reviews: Ensure that every piece of code is reviewed by at least one other team member who did not write the code. Peer reviews help verify that code meets quality standards and follows best practices, and they provide a fresh perspective that can catch issues that the original author may have overlooked. Peer reviews also encourage knowledge sharing, as team members learn from each other’s code.
Focus on security and quality: During manual code reviews, emphasize both security and code quality. Reviewers should check for common security issues such as improper input validation, hardcoded secrets, unsafe use of third-party libraries, and incorrect permissions. Code quality considerations include code readability, maintainability, adherence to coding standards, and efficiency.
Use collaborative code review tools: Use code review tools such as GitHub, GitLab, AWS CodeCommit, or Bitbucket to facilitate collaborative reviews, provide comments, track changes, and approve code. These tools enable asynchronous reviews, allowing developers to review code when they have time, and they provide a record of all comments, changes, and approvals. Using code review tools helps ensure that the process is organized, transparent, and well-documented.
Review small changes frequently: Encourage frequent code reviews for small, incremental changes rather than waiting for a large pull request. Smaller code changes are easier to review thoroughly, reducing the likelihood of missing critical issues. Reviewing small changes frequently also enables faster feedback cycles, which helps improve the overall development pace and code quality.
Encourage constructive feedback and collaboration: Create a positive code review culture that focuses on constructive feedback and continuous improvement. Reviewers should provide actionable suggestions that help improve the quality and security of the code while being respectful and supportive. A collaborative code review culture encourages developers to learn from each other, share best practices, and maintain a shared commitment to high-quality code.
Combine manual reviews with automated checks: Use automated testing tools and static analysis tools alongside manual code reviews to ensure a comprehensive review process. Automated tools can quickly identify many types of security vulnerabilities and coding errors, while manual reviews can focus on higher-level issues, such as architecture, design, and business logic. Combining both approaches helps ensure that the code is rigorously evaluated from multiple perspectives.
Perform targeted security reviews for critical code: Conduct in-depth, manual security reviews for critical portions of the codebase, such as authentication mechanisms, encryption modules, or code handling sensitive data. These reviews should be conducted by experienced security experts to identify subtle vulnerabilities that may be missed during standard peer reviews or by automated tools.

Supporting Questions:

How do you ensure that code quality and security are reviewed by someone other than the original author?
What guidelines and processes are in place to facilitate effective code reviews?
How do you balance manual code reviews with automated checks to ensure comprehensive code quality?

Roles and Responsibilities:

Application Developer:

Responsibilities:
- Submit code for review, ensuring that all new code is reviewed by at least one peer before merging.
- Address feedback received during code reviews and collaborate with reviewers to improve code quality and security.

Reviewer (Developer or Security Expert):

Responsibilities:
- Review code to identify potential security vulnerabilities, logic errors, and deviations from coding standards.
- Provide constructive feedback to the original author to improve the quality, readability, and security of the code.

Security Analyst:

Responsibilities:
- Participate in code reviews for critical portions of the codebase, such as authentication, encryption, or other sensitive areas.
- Ensure that security best practices are followed during code reviews and provide specialized guidance for security-critical code.

Artefacts:

Code Review Guidelines: A document outlining the guidelines, scope, and expectations for manual code reviews, including specific areas to focus on for quality and security.
Code Review Comments and Feedback Records: Records of comments, suggestions, and approvals from code reviews, providing a documented history of changes and improvements.
Security Review Checklist for Critical Code: A checklist used during in-depth security reviews of critical code, outlining specific areas to assess and verify for security vulnerabilities.

Relevant AWS Services:

Code Review Tools:

AWS CodeCommit: Provides a secure Git-based repository to manage code changes, facilitate pull requests, and conduct peer code reviews.
AWS CodeGuru Reviewer: Uses machine learning to review code automatically and provide recommendations for improvements, supplementing manual code reviews.

Security and Compliance Tools:

Amazon Inspector: Assesses applications and their environments for vulnerabilities, helping verify that software meets security requirements before it is released.
AWS Security Hub: Aggregates security findings, helping identify vulnerabilities that may have been introduced into the codebase, and provides a centralized view of the security posture.

CI/CD Integration Tools:

AWS CodePipeline: Integrates automated testing tools and manual approval steps to ensure that reviewed and tested code is deployed in a controlled and secure manner.
AWS IAM (Identity and Access Management): Manages access controls for code repositories, ensuring that only authorized personnel can submit, review, or approve code changes.

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals