[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Eugene Kuznetsov kuznetso at gmail.com
Thu Aug 13 16:17:28 EDT 2009


> for when you don't trust your developers or testers

While we're being controversial, when you say "don't trust" do you mean
mistakes and negligence, or really active malice, as others have taken
to mean it? 

Because if it's really "insider threat", I will add to the controversy
to say the following: 

I think it is nearly impossible to protect a large, complex software
product against a determined, competent attacker who is a software
developer writing the code for said product. One should obviously make
use of all automatic and manual processes conceivable, but the issue is
similar to the problem of insider threat in espionage -- if you have a
trusted employee who has gone over to the other side, and they have
years in which to plan and do their damage covertly, you're probably
better off with weekly polygraph tests than software testing tools. 





----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list