PW.7.2: Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.
Example 1: Perform peer review of code, and review any existing code review, analysis, or testing results as part of the peer review.
Example 2: Use expert reviewers to check code for backdoors and other malicious content.
Example 3: Use peer reviewing tools that facilitate the peer review process, and document all discussions and other feedback.
Example 4: Use a static analysis tool to automatically check code for vulnerabilities and compliance with the organization’s secure coding standards with a human reviewing the issues reported by the tool and remediating them as necessary.
Example 5: Use review checklists to verify that the code complies with the requirements.
Example 6: Use automated tools to identify and remediate documented and verified unsafe software practices on a continuous basis as human-readable code is checked into the code repository.
Example 7: Identify and document the root causes of discovered issues.
Example 8: Document lessons learned from code review and analysis in a wiki that developers can access and search.
CMMI Maturity
Description
Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.