* Anthony Liguori (aligu...@us.ibm.com) wrote: > 2) Two people walk through a particular piece of code and > independently flag anything that looks like a potential security > issue.
Auditing is always helpful, but won't ever get full coverage. qtest + fuzz is another great way to identify problems. Also improving any anotations to help static analysis tools is useful. And both of those are development efforts rather than code review. Trouble with code review is that security bugs can be subtle and easy to miss. > I'd want to focus initially on the common PC devices. The list > isn't all that large and a review like this should only take a few > hours to complete each step. I definitely agree on the initial scope. thanks, -chris