Skip to content
Piiano Learning Center

Code review

Code review remains an essential engineering practice for improving code quality.

While practices like static code analysis, unit testing, and code coverage analysis are usually automated, the subsequent human code review helps ensure that new code does not introduce unwanted changes, including inadequate data protection.

According to a survey referenced in the OWASP Code Review Guide, manual code review is the most effective method for uncovering privacy issues in code and one of the most effective for identifying compliance issues.

A best practice in code review is to use checklists like this one to frame a set of questions to address during the review process. If you’re using a code review checklist, consider incorporating data protection questions, such as:

  • Are log events free of personal data?
  • Is personal data handled and stored securely?
  • Is appropriate encryption used for storing and transmitting personal data?
  • Does the change under review enable unauthorized access to personal data?
  • If the change under review introduces a new method for processing personal data, have all users provided consent for this processing?
  • If calls to third-party APIs are introduced, do they involve transferring personal data to third parties, and if so, is there user consent for such transfers?

While initial guidance on data protection methods and threats from security or compliance teams is valuable, the data protection aspect of code review should not be left solely to security engineers. One of the benefits of code review is the dissemination of knowledge about the codebase and best practices among developers. Expanding this knowledge to include data protection practices adds an extra layer of defense against the misuse or leakage of personal data.