[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Mat Caughron mat at phpconsulting.com
Tue Aug 11 15:02:49 EDT 2009


Have we all attained the realization that static analysis is where the real
work of appsec gets done?

I'll argue that source review (automated, manual) and enlightened DBA's are
broadly better at solving the insider threat problem than dynamic

Would love to hear from others who have been successful at uncovering an
insider threat with source code review/static analysis.
Specifically: what worked, what didn't?  How helpful, or not, was version
control or other typical controls around the development process?

Mat Caughron
caughron at gmail.com
(408) 910-1266
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090811/0a53ff1d/attachment.html>

More information about the websecurity mailing list