CSC 2045 Code Review Week 04
25 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the typical review speed for code according to best practices?

  • 250-300 lines/hour
  • 100-150 lines/hour
  • 150-200 lines/hour (correct)
  • 200-250 lines/hour

    • Which type of code should be prioritized for review?

  • Code that is easily understandable
  • Code with minimal complexity
  • Code that has not changed recently
  • Code handling sensitive data (correct)

    • What is the purpose of the assert macro in C++?

  • To prevent all forms of runtime exceptions
  • To check for programming errors during debugging (correct)
  • To capture user errors during runtime
  • To handle network errors gracefully

    • Which of these bugs requires attention during a code review?

    <p>Off-by-one errors in loops</p> Signup and view all the answers

    What should unit test plans include?

    <p>A procedure to test code and expected outputs</p> Signup and view all the answers

    Which of these is a problem often encountered during code reviews?

    <p>Fallibility of human reviewers</p> Signup and view all the answers

    What type of problems are categorized as flaws in software development?

    <p>Subtle problems derived from design issues</p> Signup and view all the answers

    Which of the following is a primary goal of conducting a code review?

    <p>To identify coding defects for later removal</p> Signup and view all the answers

    What benefit does code review provide by finding defects earlier in the lifecycle?

    <p>Identifies bugs with less effort than traditional testing</p> Signup and view all the answers

    What is a key consideration during the code review process?

    <p>Establishing clear objectives and areas to focus on</p> Signup and view all the answers

    What is the primary purpose of a code review?

    <p>To improve code quality and promote learning</p> Signup and view all the answers

    Which of the following describes the typical frequency of code reviews in modern development practices?

    <p>With each small work unit ready for review</p> Signup and view all the answers

    Which of the following steps is NOT part of the typical code review workflow?

    <p>Create new code during the review</p> Signup and view all the answers

    What is the primary benefit of manual security code review compared to automated tools?

    <p>It can provide context and risk assessments.</p> Signup and view all the answers

    Why do many software developers create vulnerabilities in their code?

    <p>They lack education on software weaknesses.</p> Signup and view all the answers

    Why is it recommended for code authors to use a code review checklist before sending their code for review?

    <p>It helps authors catch important issues and think critically about their changes.</p> Signup and view all the answers

    What should a code reviewer focus on according to best practices in code reviews?

    <p>Addressing larger structural or logical problems before minor issues.</p> Signup and view all the answers

    What is a key benefit of using a code review checklist for code reviewers?

    <p>It directs reviewers to the most impactful issues in the code.</p> Signup and view all the answers

    What is the primary reason the review team should understand the business purpose of the application?

    <p>To guide the search for serious vulnerabilities</p> Signup and view all the answers

    Which source of information is considered the most effective for starting a security code review?

    <p>Conversations with developers and architects</p> Signup and view all the answers

    How can security review teams build trust with the development team?

    <p>By treating them as partners in the review process</p> Signup and view all the answers

    What is a significant challenge typically faced during the information gathering phase of a code review?

    <p>Documentation is often out of date and inadequate</p> Signup and view all the answers

    Why is it important for the reviewer to verify that key risks have been properly addressed?

    <p>To confirm that security controls are functioning adequately</p> Signup and view all the answers

    Which of the following best describes the role of the code author in the review process?

    <p>To work on feedback until all parties are satisfied</p> Signup and view all the answers

    Which two stakeholders are typically involved in the code review process?

    <p>The code authors and the code reviewers</p> Signup and view all the answers

    Study Notes

    CSC 2045 Code Review

    • Objectives: Conduct thorough source code analysis using various tools and techniques; describe the purpose and process of a code review; describe common security vulnerabilities in the course programming language; and describe the purpose and process of a code review.

    Agenda: Week 04

    • Vulnerabilities in Software: Bugs (problems introduced during implementation, easily discovered and corrected, e.g., buffer overflows, race conditions, unsafe system calls, incorrect validation); Flaws (problems at a deeper level, more subtle, originated from design and instantiation in code, e.g., compartmentalization, error-handling, broken access control).

    • Teaching Code Review: Read the article: https://www.eduflow.com/blog/teaching-code-review-to-university-students; Reflect on your top takeaway.

    • Introduction to Code Review: Inspection of source code by someone other than the author to identify coding defects for later removal. Focus on identifying defects and helping improve code quality. Read the article: https://wiki.owasp.org/index.php/Code_Review_Introduction. Browse: https://www.awesomecodereviews.com/fundamentals/code-review.

    • Benefits of Code Review: Find defects earlier in the lifecycle; IBM finds 82% of defects before testing; Defects found with less effort than testing (IBM: 3.5 hrs/defect, testing: 15–25 hrs/defect); Identify different defects than testing; Identify design and requirement problems; Educate developers about security bugs; Developers frequently repeat the same mistakes.

    • Code Review Preparation: Read the OWASP article: https://wiki.owasp.org/index.php/Code_Review_Preparation, including: Laying the Groundwork, Before We Start, Discovery: Gathering the Information, Context, Context, Context, and The Checklist. Students should browse: https://www.awesomecodereviews.com/checklists/code-review-checklist

    • Code Review Considerations: Know your limits (typical review speed is 150–200 lines/hour); Know what bugs to look for (checklists and static analysis tools). Problems include needing substantial expertise in programming and security; human errors; and slow reviews of legacy code. Understand the time commitment required for effective code reviews.

    • Prioritizing What Code To Review: Code accessible without authentication, code with a history of vulnerabilities, code that handles sensitive data, complex code, code that changes frequently.

    • What To Look For & Giving Feedback: Bugs/Potential bugs (repetitive code, disagreements between code and spec, off-by-one errors, global variables, optimistic/un-defensive programming, magic numbers); unclear, messy code (bad variable/method names, inconsistent indentation, too much on one line, trivial comments, multiple purposes for variables). Students can browse: https://www.youtube.com/embed/NNXk_WJzyMI?si=Lh-LHmqHxg. Use the provided URLs for additional resources.

    • Best Practices For Code Review: Enhance software security through structured design, code inspection, peer review; integrate code review into the software development process; Meet with developers, determine if code meets secure code development criteria, consider coding standards, code review checklists, inspect code comments/documentation/unit test plans/security requirements. Students should browse: https://www.awesomecodereviews.com/best-practices/code-review

    • Testing: Unit test plans should include how to test the code; demonstrate that the code meets security requirements and design/coding standards; and include a test procedure, inputs, and expected outputs. Students should browse: https://best-practice-and-impact.github.io/qa-of-code-guidance.

    • Assert Or Not To Assert (C++): assert macro for debugging prints error, and aborts the program; designed to catch programming errors, not run-time errors, and usually disabled after debugging; your member functions should not use assert to validate user interaction, instead return a bool (true if valid, false if not). Students can browse: https://pythontutor.com/visualize.html#code=%23include%20%3eck.

    • Example: Zune Infinite Loop: A provided code example demonstrates a potential infinite loop in the Zune software. A code example of a potential Zune infinite loop (12/31/08) illustrates how flawed logic in a year calculation (e.g., failing to account for leap years) can cause a while loop to run endlessly. Students can browse: https://leancrew.com/all-this/2009/01/leap-year-and-the-zune.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    CSC 2045 Week 04 Code Review PDF

    Description

    Explore the intricacies of code review in CSC 2045. This quiz will cover source code analysis, security vulnerabilities, and the process of code reviews. Learn about the detection of bugs and flaws and gain insight from relevant articles.

    More Like This

    Use Quizgecko on...
    Browser
    Open
    Browser
    Browser