Code review in AP Cybersecurity

In AP Cybersecurity, code review is the process of examining an application's source code to catch security flaws, like missing input sanitization, before the software ships. It's a key way developers put the secure by design principle into practice (Topic 5.5).

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is code review?

Code review means having a person (or sometimes an automated tool) read through source code to look for bugs and security weaknesses before that code goes live. Think of it like proofreading an essay, except the typos you're hunting for can let an attacker into the system.

In the AP Cybersecurity framework, code review fits under secure by design (EK 5.5.A.1), the idea that security should be built in during every phase of development, not bolted on at the end. When a reviewer reads code, one of the biggest things they check is whether user input is being handled safely. If a program drops raw user input straight into a command without checking it, an attacker can sneak in control characters like the single quote, double quote, or semicolon to manipulate the system (EK 5.5.B.1). A good code review catches that the developer forgot to call a sanitization function and flags it before the flaw ever reaches users (EK 5.5.B.2).

Why code review matters in AP Cybersecurity

Code review lives in Unit 5: Securing Applications and Data, specifically Topic 5.5 Protecting Applications. It supports learning objective 5.5.A (secure by design and security by default) by showing how security gets baked into the development process, and 5.5.B (user input sanitization) by being the moment where a missing or weak sanitization function actually gets caught. The whole point of secure by design is that companies take ownership of customer security outcomes (EK 5.5.A.2), and code review is one of the concrete habits that makes that ownership real instead of just a slogan.

Keep studying AP Cybersecurity Unit 5

How code review connects across the course

Secure Coding (Unit 5)

Secure coding is writing code safely in the first place; code review is the check that confirms the developer actually did it. They're two halves of the same goal, so a strong code review program is basically secure coding with a second set of eyes.

User Input Sanitization (Unit 5)

Sanitization strips dangerous control characters out of user input. Code review is often where a reviewer notices the sanitization function was skipped, making the review the safety net behind EK 5.5.B.

Cross-Site Scripting (Unit 5)

XSS happens when an app trusts unsanitized input and runs it as code in a browser. A thorough code review is one of the cheapest ways to spot the unsanitized input that makes an XSS attack possible before it ever ships.

Is code review on the AP Cybersecurity exam?

Expect code review to show up as part of the bigger secure by design and secure coding picture, not usually as a standalone vocab term. On multiple-choice questions, you might see a scenario describing a flaw that slipped into production and be asked which practice would have caught it earlier, where code review is the answer. You should be able to explain WHY reviewing code before deployment matters: it puts the secure by design principle into action and is a chance to catch missing input sanitization before attackers find it. No released FRQ has used this term verbatim, but it directly supports explaining how organizations protect applications under objectives 5.5.A and 5.5.B.

Code review vs secure coding

Secure coding is the act of writing the code defensively from the start. Code review is the inspection step that happens after code is written to verify it's actually secure. One is the writing, the other is the checking, and the AP exam wants you to know both belong to secure by design.

Key things to remember about code review

  • Code review is the practice of examining source code to find security flaws before an application is deployed.

  • It puts the secure by design principle (EK 5.5.A.1) into action by building security checks into the development process instead of after release.

  • A major thing reviewers hunt for is missing user input sanitization, since unsanitized control characters like quotes and semicolons can be used to attack the system.

  • Code review is the inspection step, while secure coding is the writing step; together they make up how organizations protect applications in Topic 5.5.

  • Catching a flaw in review is far cheaper and safer than patching it after an attacker exploits it in production.

Frequently asked questions about code review

What is code review in AP Cybersecurity?

It's the process of reading through an application's source code to catch security flaws before the software is released. In Topic 5.5 it's tied to secure by design and to checking that user input is properly sanitized.

Is code review the same as secure coding?

No. Secure coding is writing the code defensively in the first place, while code review is inspecting that code afterward to confirm it's actually safe. Both fall under the secure by design approach.

Why does code review help prevent attacks like XSS or injection?

Those attacks usually happen when an app trusts unsanitized user input. During a review, someone can spot that a sanitization function was skipped and the control characters (quotes, semicolons) aren't being filtered, fixing the hole before attackers find it.

Do I need to memorize code review for the AP Cybersecurity exam?

You don't need to memorize a strict definition, but you should be able to explain that code review is part of secure by design and that it's a chance to catch missing input sanitization, which connects to objectives 5.5.A and 5.5.B.

How is code review part of secure by design?

Secure by design means building security into every phase of development. Code review is one of those phases, the moment a company takes ownership of security by checking code for flaws before customers ever use it (EK 5.5.A.2).

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.

Code Review — AP Cybersecurity Definition & Exam Guide | Fiveable