As part of security vulnerability management our IT want to engage a security company to perform a code review of some of our apps. Looking around the code review goes on the “size of the application”. A couple of questions (bare in mind I am not a web dev – so if you could target your answers in management speak then great):
1) What would you say determines the “size” of an application, can you provide examples
2) What does the code review entail, i.e. is it every line in the source code, or if its based on security, can they discard some of the code and focus purely on security aspects – can you define what
a) Could be discarded in security review
b) Would be included in security review
Am I correct in thinking code review doesn’t try and break anything, it just looks for potential flaws, but doesn’t try and exploit them? Can you place reliance on that, i.e. could a code review find some potential issues that when it comes down to exploit weren’t really issues at all?