[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Boberski, Michael [USA] boberski_michael at bah.com
Wed Aug 12 12:07:48 EDT 2009


Regarding the paragraph "Even though code reviews take longer to... Automated systems can catch...",

The depth and breadth of code reviews (and other verification techniques such as security testing) can be ratched up or down according to life-cycle or other considerations such as business-related considerations using OWASP ASVS http://www.owasp.org/index.php/ASVS  which is a new OWASP documentation tool. 

Figure out what level is appropriate, then review ASVS to determine which verification requirements are included for that level, then start reviewing ("verifying") but bound and scope your review according to the selected level's verification requirements.

Results are repeatable and you won't have gotten involved in an open-ended exercise, regardless of the level chosen. You also now have a metric that you can use to explain the level of trust that would be wise to put in a verified application, alternately a target that you can tell developers they need to meet.

Best,

Mike B.


-----Original Message-----
From: Blain Smith [mailto:BLSMITH at hsph.harvard.edu] 
Sent: Wednesday, August 12, 2009 10:21 AM
To: Mat Caughron; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] code review techniques for when you don't trust your developers or testers

We are a small shop where we do our development work so we have the luxury of manual code reviews. Once changes have been made to an application it is tested and code reviewed by other developers. Only 2 developers have the keys to push changes to the live environment and they also perform testing/reviews as well.

Even though code reviews take longer to push changes through the process I believe it is essential. Automated systems can catch most of the flaws, but it takes that extra set of real eyes sometimes to uncover more.

I also believe that involving every developer in the code review process makes them better programmers as well because they are constantly worrying about security whether they are coding or reviewing.

Blain D. Smith
Lead Web Developer and Database Programmer Harvard School of Public Health Department of Information Technologies http://www.hsph.harvard.edu/it blain_smith at harvard.edu
617.432.6291


>>> Mat Caughron <mat at phpconsulting.com> 8/11/2009 3:02 PM >>>
All:

Have we all attained the realization that static analysis is where the real work of appsec gets done?

I'll argue that source review (automated, manual) and enlightened DBA's are broadly better at solving the insider threat problem than dynamic techniques.

Would love to hear from others who have been successful at uncovering an insider threat with source code review/static analysis.
Specifically: what worked, what didn't?  How helpful, or not, was version control or other typical controls around the development process?



Mat Caughron
caughron at gmail.com
(408) 910-1266

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list