[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Mat Caughron mat at phpconsulting.com
Thu Aug 13 12:32:46 EDT 2009

Hi Billy:

If you want a badder badnessometer*, keep scanning.

If you want to fix problems in appsec, you need source, specific actionable
modifications to source, insights into how to fix the source, executive
buy-in to make and go production with changes, meaningful access to most if
not all players in the SDLC, etc...

Obviously, there's a lot of money in the "keep scanning" game, and I do not
wish to comment here on how legitimate or not that approach is.  Rather, my
email points to the necessity of source review for appsec, specifically
regarding insider threat.

>From your email, are you proposing that it is possible to solve the insider
threat problem without static analysis?  Say more!

Mat Caughron
(408) 910-1266

* attributed to G.McGraw

On Tue, Aug 11, 2009 at 3:24 PM, Hoffman, Billy <billy.hoffman at hp.com>wrote:

>  This is a rather odd email. Granted I work for a vendor with both dynamic
> and I’m put off by the whole “Here is a view that I hold as gospel truth,
> please give me real examples to support that view.” I am misreading this?
> Billy Hoffman
> --
> Manager, Web Security Research Group
> HP Software
> Direct: 770-343-7069
> *From:* Mat Caughron [mailto:mat at phpconsulting.com]
> *Sent:* Tuesday, August 11, 2009 3:03 PM
> *To:* websecurity at webappsec.org
> *Subject:* [WEB SECURITY] code review techniques for when you don't trust
> your developers or testers
> All:
> Have we all attained the realization that static analysis is where the real
> work of appsec gets done?
> I'll argue that source review (automated, manual) and enlightened DBA's are
> broadly better at solving the insider threat problem than dynamic
> techniques.
> Would love to hear from others who have been successful at uncovering an
> insider threat with source code review/static analysis.
> Specifically: what worked, what didn't?  How helpful, or not, was version
> control or other typical controls around the development process?
> Mat Caughron
> caughron at gmail.com
> (408) 910-1266
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090813/0e28d846/attachment.html>

More information about the websecurity mailing list