Monday, May 4, 2009

Light-weight Code Review as You Program (Not After You're Done)

I have been working on a project lately to perform (some) code review as code is written, rather than waiting until it is checked in to cvs/svn/etc. My solution was to create an IDE plug-in that leverages built in features to highlight insecure method calls and suggest alternate code.

When the IDE starts up, it gets an updated list of insecure methods and hints from a web service. Right now I am in the very early stages, so It isn't real pretty or refined yet. For now, I am calling the project Just-in-Time (JIT) Secure Code.

The video below demonstrates the concept in NetBeans.


Security Retentive said...


This is really cool. I've been wanting something like this for some time. Planning to release it if you get it working?


Nick Coblentz said...

That is the plan... but there's quite a bit of work to do before its ready for a BETA release. I also need to populate the database with content.

- Nick