Exam CISSP topic 1 question 391 discussion

A. A developer who knows what is expected of the application, but not the same one who developed it. Code review is an essential part of the software development process to ensure code quality and identify issues. It's typically conducted by a developer or team member who is familiar with the application's requirements and expectations but is not the same person who wrote the code. This helps in having a fresh perspective and reduces the likelihood of overlooking issues or biases that the original developer might have. Quality assurance (QA) can also be involved in the review process, but a knowledgeable developer is often the first line of defense in identifying code-related problems.

Peering review, and QA just for code quality

ANSWER B: MEMBER OF QA TEAM The QA code review process comes under the static testing process, which QA generally conducts for the early detection of bugs. Testers have solid observational skills that ensure that the code follows all the essential protocols. https://www.browserstack.com/guide/code-review-for-quality-assurance

Answer B) A member of quality assurance (QA) should review the developer’s code. The question said who is BEST to perform code review. B includes A. C is wrong because it has to be someone different....and D is wrong because the manager may not even know how to code.

B. A member of quality assurance (QA) should review the developer’s code. QA professionals typically focus on ensuring that the code meets quality and testing standards, which can include reviewing the code for compliance with coding standards, functional requirements, and testability.

you might want to walkthrough you code with a team who does not know too much of your code

I used to work with engineering when I worked for a major security appliance vendor and I know that whenever they created a fix or feature, it then was reviewed by the QA team as part of the development process.

Developers: The developers who worked on the application code may be the best people to review it, as they are intimately familiar with the code and its intended functionality. Independent testers: Independent testers who are not involved in the development process can provide an unbiased review of the application code, as they are able to approach the code from a fresh perspective and test it in a variety of scenarios. Security specialists: Security specialists who are familiar with the specific security risks and vulnerabilities associated with the type of application being developed can provide a thorough review of the code to ensure that it is secure and resistant to attacks. Quality assurance (QA) specialists: QA specialists who are responsible for ensuring that the application meets all relevant quality standards can review the code to ensure that it has been properly tested and verified.

CISSP Official Study Guide pg 746 - "Code Review - Code review is the foundation of software assessment programs. During a code review, also known as a peer review, developers other than the one who wrote the code review it for defects. Code reviews may result in approval of an application's move into a production environment, or they may send the code back to the original developer with recommendations for rework of issues detected during the review."

I go with A A developer who knows what is expected of the application but not the same one who developed it would be the most suitable person to review developed application code to ensure it has been tested and verified. This is because the reviewer should have a good understanding of the requirements and expected functionality of the application, but at the same time be impartial and objective in their assessment of the code. A member of QA could also review the code but he should not be the only person responsible for reviewing the code as may not have the same level of technical knowledge as a developer.