Earlier today on one of the forums where I hang out, I got into a discussion of code reviews. I mentioned that I recently put together a brief checklist for my company. One person asked about it, so here it is.

  • Are there things that can degrade performance
  • Do you find any infinite loops
  • Are Else and Switch Default conditions in place
  • Is there duplicate code or conditions
  • Has usability of the finished product been considered
  • Are calculations correct
  • Is the code readable
  • Does the code follow best practices and company guidelines
  • Are comments clear, meaningful, plentiful, and not overdone
  • Are complex algorithms and corner-case input clearly commented
  • Are there refactoring opportunities
  • Did you perform psychic or intuitive review (the code just feels wrong)
  • Are unit tests provided for areas where needed
  • Is the class design secure
    • Are variable scope and method visibility limited
    • Are non-base classes sealed
    • Are properties used to expose fields
    • Does the code use read-only properties
  • Is exception handling implemented correctly, including exception reporting and a proper page displayed to the user
  • Are protections against cross-site (XSS) scripting implemented
  • Are protections against SQL injection implemented
  • For public-facing web sites, have connection strings been encrypted

If you want to learn more about code reviews, look at these references

Best Kept Secrets of Peer Code Review”, Jason Cohen, 2011, published by SmartBear Software

Effective Code Reviews Without the Pain”, Robert Bogue, 2006, Developer.com

Running an Effective Code Review”, Esther Schindler, 2008, CIO.com