Source code review (also called code audit or secure code review) is the systematic examination of application source code to identify security vulnerabilities, logic errors, and deviations from secure coding standards. Code review operates as a white-box assessment where reviewers have full visibility into application logic, making it possible to identify vulnerabilities that black-box testing cannot reach -- including subtle logic flaws, race conditions, and cryptographic misuse.
Secure code review combines automated static analysis with manual expert review. Automated static application security testing (SAST) tools scan codebases against rule databases covering known vulnerability patterns -- injection flaws, authentication weaknesses, cryptographic misuse, and insecure configurations. SAST tools provide broad coverage quickly but produce false positives and miss context-dependent vulnerabilities. Manual review by security-trained developers examines high-risk code paths identified through threat modeling: authentication and authorization logic, cryptographic implementations, session management, input processing, and integration points with external systems. Reviewers trace data flows from untrusted inputs through processing logic to sensitive operations, identifying points where validation, encoding, or access control may be missing. Checklists based on OWASP guidelines and language-specific secure coding standards ensure consistent coverage. Review findings are documented with severity ratings, vulnerable code locations, exploit scenarios, and specific remediation code examples. Integration into development workflows occurs through pull request reviews where security-focused checks complement functional review.
Code review catches vulnerabilities at their source -- in the code itself -- before deployment. Many critical vulnerability classes including business logic flaws, race conditions, and cryptographic weaknesses are difficult or impossible to detect through external testing alone. Code review provides the deepest understanding of application security posture and identifies systemic patterns that indicate broader secure development issues.
CDA delivers source code review through VSD Theater missions. Our methodology combines SAST tooling with manual expert review focused on threat-model-driven code paths, ensuring review effort concentrates on the code most likely to contain exploitable vulnerabilities.