Don’t Just Ship It — Secure It: a Guide to Code Reviews and Security Testing

November 6th, 2025

Software security testing and code reviews are among the most effective security assurance activities. The purpose of code reviews and security testing is to identify and fix vulnerabilities early, which is cheaper and faster than addressing them post-release.

The aim of security testing is to verify the secure implementation of software and detect vulnerabilities before release. Security testing validates compliance with requirements and identifies security threats. There are three categories of security testing: Black-box (i.e., penetration testing), Gray-box (i.e., dynamic code analysis), and White-box testing (i.e., source code analysis). Black-box testing examines the software’s external functionality without any knowledge of its internal code or structure. Gray-box testing combines external testing with partial insight into the system’s internal workings to design more effective tests. White-box testing analyzes the internal logic, code paths, and structure to verify that the program behaves as intended internally.

There are seven steps to designing a security test plan:

1. Define test scripts- Logical steps that outline how a security test should be carried out.

2. Define user community- Determining who the user community is helps security testers identify acceptable levels of risk.

3. Identify showstoppers- Define test cases and scenarios that are “must-haves”.

4. Identify internal resources- Identify who from within the organization is needed for testing.

5. Identify external resources- Identify any third-party experts or tools that are needed for testing.

There are two types of software tests: Functional tests and Security tests. Functional test scripts are step-by-step instructions that simulate real world scenarios and test an application’s response. Security test scripts are based on threat models and are meant to specifically test the security of an application. Security test cases represent attacks an attacker could carry out to gain unauthorized access to sensitive data.

Code review in the Security Development Lifecycle (SDL) is the process of systematically examining source code to identify security flaws, logic errors, and deviations from secure coding standards before software is released.

There are 4 steps to code review:

1. Identify code review objectives.

2. Perform the preliminary scan.

3. Identify security vulnerabilities in the code.

4. Review the code for security vulnerabilities specific to the software environment.

Code review strengthens the SDL by enforcing secure coding practices, improving code quality, and reducing the cost of fixing vulnerabilities later in development.

Software security testing and code reviews work together to identify and fix vulnerabilities early, ensuring software is both functional and secure before release. By validating code quality and testing against potential threats, they strengthen the SDL and reduce the cost and risk of post-release security failures.

— Ben Skinner