Michael Howard’s talks about SDL Crypto Code Review at his blog. He says:
When I review code for security bugs I basically do the following:
1) Run static analysis tools and compile with /W4 to see which source code files appear to have more warnings or errors. This may indicate more bugs.
2) Look for known issues, such as banned APIs and banned functionality. I hand review anything I spot in this pass, but the noise can be very high.
3) Drill down into the riskiest code (ie; line-by-line review) based on the threat models.
Michael decided to create a simple macro to help with (2) when reviewing code for potential crypto issues. You can read about it and donwload code at his Web log (here).