Security Guidelines for Code Review Processes | Singapore Government Developer Portal
Have feedback? Please

Security Guidelines for Code Review Process by Design header banner


Code review processes include spotting potential vulnerabilities in a software’s code during the early stages of the Software Development Life Cycle (SDLC). The guidelines were benchmarked against the Open Worldwide Application Security Project Code Review Guidelines to meet international standards. Through this, software developers and engineers can better identify and assess code vulnerabilities, allowing applications to be built in a more secure, robust and more cost-effective manner.


This code review process ensures that applications are built with security in mind. This reduces the chances of security breaches, data leaks, and other cybersecurity threats.


The scope of the secure guidelines for code review processes covers eight key areas. This includes:

  1. Authentication: preventing malicious users from gaining access to protected functionalities
  2. Authorisation: preventing malicious users from performing unwanted actions on protected resources
  3. Business Logic & Design: minimising flaws in application design and implementation that can lead to unintended behaviours
  4. Data Management: exercising extra precaution such as encryption at rest and in transit to protect sensitive data such as IC numbers
  5. Exception Handling: proper exception handling can prevent leakage of valuable information
  6. Injection Attack: preventing malicious users from adding/injecting content into an application to modify its behaviour
  7. Logging & Auditing: application log messages are important for auditing purposes
  8. Session Management: improper session management can lead to malicious users impersonating others and gaining access to privileged data or application functions

Target Audience and Adoption Criteria

These guidelines are applicable to software developers, engineers, and code reviewers.

Standards, Guidelines and Assessment Criteria

For a summarised checklist of the secure code review process, you may refer to the diagram below.

Fig 1: Summary of the secure code review checklist
Fig 1: Summary of the secure code review checklist

For more guidelines on the code reviewing process within the Goverment, click here.

Contact Information

Please fill up this form if you have further queries.

Last updated 12 October 2023

Was this article useful?
Send this page via email
Share on Facebook
Share on Linkedin
Tweet this page