[WEB SECURITY] code review techniques for when you don't trust your developers or testers
mat at phpconsulting.com
Tue Aug 11 15:02:49 EDT 2009
Have we all attained the realization that static analysis is where the real
work of appsec gets done?
I'll argue that source review (automated, manual) and enlightened DBA's are
broadly better at solving the insider threat problem than dynamic
Would love to hear from others who have been successful at uncovering an
insider threat with source code review/static analysis.
Specifically: what worked, what didn't? How helpful, or not, was version
control or other typical controls around the development process?
caughron at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity