[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Blain Smith BLSMITH at hsph.harvard.edu
Wed Aug 12 10:21:09 EDT 2009

We are a small shop where we do our development work so we have the luxury of manual code reviews. Once changes have been made to an application it is tested and code reviewed by other developers. Only 2 developers have the keys to push changes to the live environment and they also perform testing/reviews as well.

Even though code reviews take longer to push changes through the process I believe it is essential. Automated systems can catch most of the flaws, but it takes that extra set of real eyes sometimes to uncover more.

I also believe that involving every developer in the code review process makes them better programmers as well because they are constantly worrying about security whether they are coding or reviewing.

Blain D. Smith
Lead Web Developer and Database Programmer
Harvard School of Public Health
Department of Information Technologies
blain_smith at harvard.edu

>>> Mat Caughron <mat at phpconsulting.com> 8/11/2009 3:02 PM >>>

Have we all attained the realization that static analysis is where the real
work of appsec gets done?

I'll argue that source review (automated, manual) and enlightened DBA's are
broadly better at solving the insider threat problem than dynamic

Would love to hear from others who have been successful at uncovering an
insider threat with source code review/static analysis.
Specifically: what worked, what didn't?  How helpful, or not, was version
control or other typical controls around the development process?

Mat Caughron
caughron at gmail.com 
(408) 910-1266

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list