Can manual code review serve as an effective method of reviewing source code for security vulnerabilities?
While it is possible to identify security vulnerabilities in the source code manually, most companies do not have the skilled security resources or time available within the software development lifecycle that a manual code review requires, and therefore many companies that decide to perform a manual code review can only analyze a small portion of their applications. Limited by practicality to select a sample of applications to review, organizations thus end up with only partial insight into the security state of their applications. Some of the techniques frequently used to verify application security include automated source code review, static analysis, penetration testing, manual code review, threat modeling, and architecture review. All of these techniques are useful and important, but should be used strategically, where they are the most effective.
