Tools that assist with security review are fundamentally different from most other kinds of
software development tools. But the need for software security rarely creates the kind of urgency that leads a programmer to run a debugger. For this reason, an organization needs to plan out who will conduct security reviews, when the reviews will take place, and what will be done with the results. Static analysis tools should be part of the planning because they can make the review process significantly more efficient. In this chapter, we will explore two perspectives on code review. In the first, we look at the steps involved in performing a single review and the most common problem that review teams run into: debates about exploitability. In the second, we look at the choices an organization needs to make in order to integrate security review (and the accompanying tools) into the software development process. This includes deciding who will run the tool, when they’ll run it, and what will happen to the results. We will also look at metrics derived from static analysis results.