On Tue, 21 Feb 2017, liujin (K) wrote:
Even today, buffer overflow, integer overflow, and improper validation of array index is still the most common C language code security issues.For small software, to do code review is very easy to operateCode reviews are technically easy to operate, sure, but the problem is rarely the actual review process. The problem for all my projects that I don't do as part of my paid job, is to actually get volunteers to do the job. To spend their spare time and energy on reading someone else's work just to make sure it is good enough.
So then we get in the situation where we can either block process and wait for someone to magically appear at some point and review, or we merge the code anyway to get progress and rely on users in the wild to test it and report back when they find problems. It's a balance.