[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Eugene Kuznetsov kuznetso at gmail.com
Fri Aug 14 10:53:12 EDT 2009


On Thu, 2009-08-13 at 17:08 -0500, travis+ml-webappsec at subspacefield.org
wrote:
> On Thu, Aug 13, 2009 at 04:17:28PM -0400, Eugene Kuznetsov wrote:
> > years in which to plan and do their damage covertly, you're probably
> > better off with weekly polygraph tests than software testing tools. 
> 
> I realize this wasn't your main point - possibly going OT here - but you
> might find this article interesting:
> 
> http://fas.org/sgp/othergov/polygraph/ames.html

Read it with interest, thanks! I actually know that polygraph testing
has some big failings (the Ames case being the Big One), so that was
intentional.

Once the complexity of the system approaches the complexity of the
human, you can scan the human, scan the code, scan the two of them
together -- but really, you're in a fight against overwhelming
complexity. 

Separately, I think the question of insider threat is interesting
theoretically. I don't agree that the obvious need for more "security
hygiene 101" should prevent its study, discussion or attempted
reduction.

					-- Eugene


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list