Gerrit Code Review Process
Code & Patches can be raised to the attention of the security group, by using the tag 'SecurityImpact'.
This will automatically forward an email to email@example.com with a link back to the gerrit page.
Anyone is welcome to review code, however the following areas of knowledge are beneficial to all reviewers:
- Code: The language(s) used, the features and issues of that language from a security perspective. The issues one needs to look out for and best practices from a security and performance perspective.
- Context: The working of the application being reviewed. All security is in context of what we are trying to secure. Recommending military standard security mechanisms on an application that vends apples would be over-kill, and out of context. What type of data is being manipulated or processed, and what would the damage to the company be if this data was compromised? Context is the "Holy Grail" of secure code inspection and risk assessment… we’ll see more later.
- Audience: The intended users of the application. Is it externally facing or internal to “trusted” users? Does this application talk to other entities (machines/services)? Do humans use this application?
- Importance: The size of the consequences of failure. Shall the enterprise be affected in any great way if the application can not perform its functions as intended?