Usually when a customer comes with request for security source code review one of the main questions is “How long it will take?”. And the answer of that particular question is not an easy one because it depends on so many factors:
– application architecture and complexity
– documentation absence or presence
– code quality – structure, comments, codding style
– static code analysis tools existence or absence
– security team work pace
and so on.

Regarding those considerations an answer to the important timing question need to be provided so we can find a common plane for the customer expectations and auditors capabilities. The answer’s precision depends generally on the preliminary information the customer could possibly provide and disclose.
A good approach to facilitate the scoping process is gear up the customer with a scoping questionnaire. This would:
– provide the auditing team with a basic information about the application and help them built further discussions
– help standardizing the scoping process
– improving the project documentation process

You can find my first attempt to put together a security source code review scoping questionnaire in the download link bellow.
The questions are compiled from a “zero preliminary knowledge” stand point of view.
In case there are some preliminary information about the application architecture or technologies the questions could be modified and made more specific.

If you found that questionnaire helpful or you have any comments I would be more than happy to read from you.

Enjoy!

ENGLISH version download: SSCR_ScopingQuestionnaire.pdf

BULGARIAN version download: SSCR_ScopingQuestionnaire_BG.pdf