[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Bil Corry bil at corry.biz
Sun Aug 16 00:51:11 EDT 2009

Bill Pennington wrote on 8/14/2009 1:26 PM:
> By far the vast majority of web app incidents I have seen are all the
> run of the mill <outsider> used <SQLi/XSS/biz. logic> to do 
> <somethingbad>. I have seen hundreds of those and 2 bad developer and
> one bad sysadmin. I would say less than 1% of the cases I have seen 
> involve that type of attack. I am pretty sure the Verizon report 
> backs up my experience as well but I did not read the entire report.

True, I've only seen one "evil developer" story reported within the last year or so (and it appears they used insider knowledge rather than actually coding something malicious):

	Hidden Code Costs Poker Players Thousands

I suspect part of the reason for such low numbers is because a competent evil developer isn't going to put an obvious backdoor into the system, they're instead more likely to code something that would look like a bug if found (plausible deniability).  Really, how can you tell when SQLi was added with malicious intent[1]?  Or the recently disclosed sendpage vulnerability that is present "in all Linux kernels since 2001."[2]  Backdoor or bug?  Can we ever really know?  And how many of these attacks go unnoticed entirely?

There is definitely a danger of underreporting for "evil developer" attacks and it may be more prevalent than it currently appears.  If we lump in hidden "Easter Eggs" (as M. E. Kabay urges us to do[3]) then it gets significantly more common.

- Bil

[1] The only way I'm aware of is to observe it being exploited by a trusted insider or someone that can be traced back to a trusted insider.
[2] http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070214.html
[3] http://www.networkworld.com/newsletters/sec/0327sec1.html

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list