Why is security not part of the review process?

[sazo]

Out of pure curiosity. :)

I am thinking this is taken care of some place else or the risk profile is just different from project to project. So you cant make it general description maybe. I just wonder why its not a point to look for?

btw. Thanks for a awesome guide perfect for inspiration - thanks for sharing it.

[adambender]

That's a fair question! We do briefly call attention to security in the 'Every Line' section, but, it's only to say that if you don't feel qualified to review security issues, ask for help.

Now, why don't we say more? We probably could. We call attention to a lot of things in the doc but it isn't an exhaustive list. The general guidance is that a reviewer should make a comment on anything that looks unsafe, whether security or otherwise.

Rest assured that Google takes security very seriously and that our code review policy does not represent the full investment we make :)