[WEB SECURITY] code review techniques for when you don't trust your developers or testers
mat at phpconsulting.com
Thu Aug 13 12:32:46 EDT 2009
If you want a badder badnessometer*, keep scanning.
If you want to fix problems in appsec, you need source, specific actionable
modifications to source, insights into how to fix the source, executive
buy-in to make and go production with changes, meaningful access to most if
not all players in the SDLC, etc...
Obviously, there's a lot of money in the "keep scanning" game, and I do not
wish to comment here on how legitimate or not that approach is. Rather, my
email points to the necessity of source review for appsec, specifically
regarding insider threat.
>From your email, are you proposing that it is possible to solve the insider
threat problem without static analysis? Say more!
* attributed to G.McGraw
On Tue, Aug 11, 2009 at 3:24 PM, Hoffman, Billy <billy.hoffman at hp.com>wrote:
> This is a rather odd email. Granted I work for a vendor with both dynamic
> and I’m put off by the whole “Here is a view that I hold as gospel truth,
> please give me real examples to support that view.” I am misreading this?
> Billy Hoffman
> Manager, Web Security Research Group
> HP Software
> Direct: 770-343-7069
> *From:* Mat Caughron [mailto:mat at phpconsulting.com]
> *Sent:* Tuesday, August 11, 2009 3:03 PM
> *To:* websecurity at webappsec.org
> *Subject:* [WEB SECURITY] code review techniques for when you don't trust
> your developers or testers
> Have we all attained the realization that static analysis is where the real
> work of appsec gets done?
> I'll argue that source review (automated, manual) and enlightened DBA's are
> broadly better at solving the insider threat problem than dynamic
> Would love to hear from others who have been successful at uncovering an
> insider threat with source code review/static analysis.
> Specifically: what worked, what didn't? How helpful, or not, was version
> control or other typical controls around the development process?
> Mat Caughron
> caughron at gmail.com
> (408) 910-1266
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity