[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Mat Caughron mat at phpconsulting.com
Thu Aug 13 14:29:05 EDT 2009


Billy et al:

Assumed this discussion was public, as I use a different means for
private communication.

> Are you interested in areas where static falls down?
> Are you interested in real world examples of how people
> recognize and mitigate where static falls down?

Failure is always interesting, but neither of the above speak to what
I'm after here.

What interests me is this: lessons learned in the course of catching
insider threats.  The sample set for insider threats is hard to come
by, but if any group of people can get their hands on the info, it's
probably this one.



Mat Caughron
(408) 910-1266




On Thu, Aug 13, 2009 at 11:49 AM, Hoffman, Billy <billy.hoffman at hp.com> wrote:
>
> (thanks for posting a private email to the group. I guess this is now a public discussion. Stay Classy Mat!)
>
>
>
> I believe companies need to have a blend of tools to confront web security issues. I personally recommend the use of Static, Dynamic and WAFs, as each has its place. I believe the pros and cons of all 3 types complement each other.
>
>
>
> What I was asking about was the tone of your original email. The feeling I derived from it was “Static is the awesome. Everything else is silly. Group please provide me with real world examples that will prove my opinion. I am not interested in stories that discount this opinion.” However you had a phrase or two like “how helpful or not” that made me think I might have misread your meaning. I was asking for clarification.
>
>
>
> Are you interested in areas where static falls down? Are you interested in real world examples of how people recognize and mitigate where static falls down?
>
>
>
> Billy Hoffman
>
> --
> Manager, Web Security Research Group
> HP Software
> Direct: 770-343-7069
>
>
>
> From: Mat Caughron [mailto:mat at phpconsulting.com]
> Sent: Thursday, August 13, 2009 12:33 PM
> To: websecurity at webappsec.org; Hoffman, Billy
> Subject: Re: [WEB SECURITY] code review techniques for when you don't trust your developers or testers
>
>
>
> Hi Billy:
>
> If you want a badder badnessometer*, keep scanning.
>
> If you want to fix problems in appsec, you need source, specific actionable modifications to source, insights into how to fix the source, executive buy-in to make and go production with changes, meaningful access to most if not all players in the SDLC, etc...
>
> Obviously, there's a lot of money in the "keep scanning" game, and I do not wish to comment here on how legitimate or not that approach is.  Rather, my email points to the necessity of source review for appsec, specifically regarding insider threat.
>
> From your email, are you proposing that it is possible to solve the insider threat problem without static analysis?  Say more!
>
>
>
> Mat Caughron
> (408) 910-1266
>
>
> * attributed to G.McGraw
>
> On Tue, Aug 11, 2009 at 3:24 PM, Hoffman, Billy <billy.hoffman at hp.com> wrote:
>
> This is a rather odd email. Granted I work for a vendor with both dynamic and I’m put off by the whole “Here is a view that I hold as gospel truth, please give me real examples to support that view.” I am misreading this?
>
>
>
> Billy Hoffman
>
> --
>
> Manager, Web Security Research Group
>
> HP Software
>
> Direct: 770-343-7069
>
>
>
> From: Mat Caughron [mailto:mat at phpconsulting.com]
> Sent: Tuesday, August 11, 2009 3:03 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] code review techniques for when you don't trust your developers or testers
>
>
>
> All:
>
> Have we all attained the realization that static analysis is where the real work of appsec gets done?
>
> I'll argue that source review (automated, manual) and enlightened DBA's are broadly better at solving the insider threat problem than dynamic techniques.
>
> Would love to hear from others who have been successful at uncovering an insider threat with source code review/static analysis.
> Specifically: what worked, what didn't?  How helpful, or not, was version control or other typical controls around the development process?
>
>
>
> Mat Caughron
> caughron at gmail.com
> (408) 910-1266
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list