Describe your methodology for performing a secure code review (the process, not a single bug).

Start by understanding context before reading code: what does the app do, what's the sensitive data, what's the trust model, and where are the entry points? Then review risk-first — follow untrusted input from sources (HTTP params, headers, files, message queues) to dangerous sinks (queries, command exec, deserialization, file paths, templates), checking validation, encoding, and authorization at each boundary. Pay special attention to authn/authz on every endpoint, secrets handling, crypto usage, and dependency calls. Combine automated tooling (SAST/grep for sink patterns) to find candidates with manual review for logic/authorization flaws tools miss. Time-box, take notes, prioritize by exploitability + impact, and give developers concrete, actionable fixes plus the root-cause pattern so it doesn't recur.