[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Eugene Kuznetsov kuznetso at gmail.com
Fri Aug 14 10:53:12 EDT 2009

On Thu, 2009-08-13 at 17:08 -0500, travis+ml-webappsec at subspacefield.org
> On Thu, Aug 13, 2009 at 04:17:28PM -0400, Eugene Kuznetsov wrote:
> > years in which to plan and do their damage covertly, you're probably
> > better off with weekly polygraph tests than software testing tools. 
> I realize this wasn't your main point - possibly going OT here - but you
> might find this article interesting:
> http://fas.org/sgp/othergov/polygraph/ames.html

Read it with interest, thanks! I actually know that polygraph testing
has some big failings (the Ames case being the Big One), so that was

Once the complexity of the system approaches the complexity of the
human, you can scan the human, scan the code, scan the two of them
together -- but really, you're in a fight against overwhelming

Separately, I think the question of insider threat is interesting
theoretically. I don't agree that the obvious need for more "security
hygiene 101" should prevent its study, discussion or attempted

					-- Eugene

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list