Software reviews

What Are Software Reviews?

Software reviews are structured quality assurance activities in which software work products, including requirements specifications, design documents, source code, and test plans, are examined by individuals other than the original author to detect defects, verify conformance to standards, and assess technical correctness. Reviews are a primary mechanism for finding errors before they propagate to later phases of development, where the cost of correction rises sharply. The discipline draws from quality management theory and has been a recognized engineering practice since Michael Fagan introduced the formal inspection process at IBM in the 1970s.

IEEE Standard 1028 defines the types of software reviews, their objectives, and the procedures to be followed. The standard distinguishes management reviews, technical reviews, inspections, walkthroughs, and audits, each serving a different purpose in the development lifecycle.

Inspection and Formal Review

Formal software inspection, developed by Michael E. Fagan at IBM in the mid-1970s, is the most rigorous review type. A detailed account of Fagan's inspection process describes five defined phases: planning, overview meeting, preparation, inspection meeting, and rework with follow-up. Each role in the inspection, including moderator, reader, recorder, and author, carries specific responsibilities. Inspections are conducted against entry and exit criteria, and defect data is recorded systematically to support process improvement. Studies at IBM reported that inspections identified up to 93 percent of defects in evaluated programs, substantially reducing the number of issues reaching later testing phases.

The formal inspection model treats defect removal as a measurable engineering activity rather than an informal check. Exit criteria prevent work products from advancing until they meet a defined defect density threshold, ensuring that inspection effort translates to a verifiable quality gate.

Walkthroughs and Technical Reviews

A walkthrough is a less formal review in which the author presents a work product to peers for comment and discussion. The IEEE Standard 1028 for software reviews defines walkthroughs as author-led sessions where the primary purpose is education, knowledge transfer, and defect identification through discussion rather than line-by-line examination. Technical reviews occupy a middle ground: they are led by a trained moderator and follow a defined procedure, but they focus on technical correctness and design decisions rather than achieving the complete defect census targeted by a formal inspection. Both walkthrough and technical review forms are appropriate for design artifacts that benefit from broader discussion before detailed implementation begins.

Code Review in Modern Practice

Contemporary software development has adapted formal review concepts to fit continuous integration and version control workflows. Pull request reviews, popularized by distributed version control systems such as Git, present code changes to designated reviewers before merging into a shared branch. This lightweight approach scales more easily than formal inspection meetings in teams with distributed members and short release cycles. Automated static analysis tools run in parallel with human review, flagging common error classes such as null pointer dereferences, security misconfigurations, and style violations before a human reviewer sees the code. The OWASP community maintains guidance on integrating security checks into code review processes as part of its broader application security framework.

Applications

Software reviews have applications in a wide range of disciplines, including:

  • Avionics and medical device software subject to DO-178C and IEC 62304 certification requirements
  • Financial systems where review records satisfy regulatory audit obligations
  • Open-source projects using pull request workflows to maintain code quality
  • Security-sensitive applications requiring adversarial review of authentication and cryptographic code
  • Government and defense software under contractual quality assurance requirements
Loading…