To obtain reasonable assurance over your code development process, it is best to first have a Quality Control framework in place that defines the different, requirements for writing secure code, test types required, tools to be used for testing (e.g., code analysis tools), etc.
At the least, the following best-practice recommendations for code validations should be adopted:
- Your code should be easily readable (your code should be understandable by others)
- Your code should be easily maintainable, reusable and scalable
- Your code should be securely developed (no use of hard-coded secrets, no use of vulnerable libraries, etc.)
- Your code should be optimised for performance
- Your code should be well documented
- Your code should undergo a standard quality review process (e.g. unit testing, integration testing, regression testing, etc.)
I advise you to look into DevSecOps and the OWASP code review guide as they are a good way to start familiarising yourself with best-practice methods for code validations and efficiently integrating security within development.
1. Have right Code Review Checklist before code submit/commit, this includes Unit test performed
2. Code format for right exceptions, a simple example could be right alignments
3. Architecture : code sync / design / flow should be as precise as possible
4. Best practices : Avoid multiple if/else, Do not over write comments, use rigth framework
5. Future forecasted code : Maintainability , Readability, Testability, Debuggability, Configurability
6. Important documentation for code : Reusability, Reliability, Extensibility (add enhancement), Security, Performance, Scalability and Usability
Finally also include static code analyzers at the end of code commit, this will negate security flaw if exist
Example: Coverity, Findbugs, Fortify
- it follows the develop guidelines of your company / business
- it is readable
- it is understandable
- the feature seems to be thoroughly implemented
- everything has been verified and tested
Basically, you want to make sure the developer followed the practice given by the company and/or best practice in general. Since you may be called to maintain this code, you want to make sure you understand the code well enough that in a year or plus, you are able to update it for new features or fix it if defects happen.
In some complex systems, or when developer needs to go fast, it can be easy to forgot steps, especially in tests. Your review makes sure that things haven't been overlooked.
- The fundamental logic to accomplish the functionality
- Well structured and readable
- Best practices
- Code testing criteria - meets standards set by the team or your organization