[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Hoffman, Billy billy.hoffman at hp.com
Thu Aug 13 12:49:05 EDT 2009


(thanks for posting a private email to the group. I guess this is now a public discussion. Stay Classy Mat!)

I believe companies need to have a blend of tools to confront web security issues. I personally recommend the use of Static, Dynamic and WAFs, as each has its place. I believe the pros and cons of all 3 types complement each other.

What I was asking about was the tone of your original email. The feeling I derived from it was "Static is the awesome. Everything else is silly. Group please provide me with real world examples that will prove my opinion. I am not interested in stories that discount this opinion." However you had a phrase or two like "how helpful or not" that made me think I might have misread your meaning. I was asking for clarification.

Are you interested in areas where static falls down? Are you interested in real world examples of how people recognize and mitigate where static falls down?

Billy Hoffman
--
Manager, Web Security Research Group
HP Software
Direct: 770-343-7069

From: Mat Caughron [mailto:mat at phpconsulting.com]
Sent: Thursday, August 13, 2009 12:33 PM
To: websecurity at webappsec.org; Hoffman, Billy
Subject: Re: [WEB SECURITY] code review techniques for when you don't trust your developers or testers

Hi Billy:

If you want a badder badnessometer*, keep scanning.

If you want to fix problems in appsec, you need source, specific actionable modifications to source, insights into how to fix the source, executive buy-in to make and go production with changes, meaningful access to most if not all players in the SDLC, etc...

Obviously, there's a lot of money in the "keep scanning" game, and I do not wish to comment here on how legitimate or not that approach is.  Rather, my email points to the necessity of source review for appsec, specifically regarding insider threat.

>From your email, are you proposing that it is possible to solve the insider threat problem without static analysis?  Say more!



Mat Caughron
(408) 910-1266


* attributed to G.McGraw

On Tue, Aug 11, 2009 at 3:24 PM, Hoffman, Billy <billy.hoffman at hp.com<mailto:billy.hoffman at hp.com>> wrote:

This is a rather odd email. Granted I work for a vendor with both dynamic and I'm put off by the whole "Here is a view that I hold as gospel truth, please give me real examples to support that view." I am misreading this?



Billy Hoffman

--

Manager, Web Security Research Group

HP Software

Direct: 770-343-7069



From: Mat Caughron [mailto:mat at phpconsulting.com<mailto:mat at phpconsulting.com>]
Sent: Tuesday, August 11, 2009 3:03 PM
To: websecurity at webappsec.org<mailto:websecurity at webappsec.org>
Subject: [WEB SECURITY] code review techniques for when you don't trust your developers or testers



All:

Have we all attained the realization that static analysis is where the real work of appsec gets done?

I'll argue that source review (automated, manual) and enlightened DBA's are broadly better at solving the insider threat problem than dynamic techniques.

Would love to hear from others who have been successful at uncovering an insider threat with source code review/static analysis.
Specifically: what worked, what didn't?  How helpful, or not, was version control or other typical controls around the development process?



Mat Caughron
caughron at gmail.com<mailto:caughron at gmail.com>
(408) 910-1266

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090813/b567af7a/attachment.html>


More information about the websecurity mailing list