[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Steven M. Christey coley at linus.mitre.org
Thu Aug 13 18:14:45 EDT 2009

On Thu, 13 Aug 2009, Jim Manico wrote:

> This is a pain to get right, even more of a pain to maintain -
> especially since the tools to manage Java policy are poor, at best. But
> I think it's our best defense in protecting an enterprise against the
> insider evil coder.

There may be techniques for finding the "insider evil coder" doing things
that don't make sense like executing an external program and sending
results across a hard-coded network connection - Veracode did a paper on
back door detection about a year ago.  To get any depth at all, though,
you'd need a well-developed model of what the application is supposed to
do, especially with respect to its interfaces with the OS, downstream
components, etc.

That still won't address intentionally-introduced "business logic" issues
(with a narrower use of the term than perhaps Jeremiah's), or the use of
legitimate interfaces to create covert channels.  In these cases, it
requires full human understanding of what the code is supposed to be doing
with *simultaneous* expert understanding of the domain.  Consider an odd
divide-by-zero error that can only occur in a certain time zone on one day
of a 30-year cycle with several other factors at play.  If you could do
that type of analysis, then you would also probably have the ability to
detect and produce a bug-free system.  The theorists throw around the
"undecidable" term a lot when it comes to proving that code doesn't have
any bugs, and the evil-developer problem may be an alternate expression of

In other words, I think it's impossible to prove that modern web-based
applications are correct from a security perspective (even with respect to
only one layer of source code and ignoring the environment), and this is
even more impossible if you care about business-logic correctness on top
of the injection side of the spectrum.

- Steve

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list