QP05 Pair Programming Practices
What this means
SiteShadow flagged signals that pairing/second-set-of-eyes practices may be absent. Pairing isn't mandatory for every team, but the underlying goal is fast feedback on risky changes.
Why it matters
Pairing can reduce defects and improve security review.
- Fewer blind spots in auth/validation/edge cases.
- Better knowledge sharing for critical security-sensitive code.
- Lower bug rate for complex changes.
Safer examples
1) Pair on high-risk changes
Auth flows, permissions, crypto, file handling, CI/CD and infra changes.
2) Use "rubber duck" reviews if pairing isn't feasible
Short synchronous walkthroughs catch issues early.
3) Combine with code review and tests
Pairing complements (but doesn't replace) PR review and automated tests.
How SiteShadow detects it (high level)
- Uses workflow and repository signals that correlate with "single-author changes" landing without feedback loops.
- Flags projects where process signals (reviews/tests/gates) are consistently missing.
References
- OWASP Top 10: https://owasp.org/Top10/
---