[WEB SECURITY] code review techniques for when you don't trust your developers or testers

Martin O'Neal martin.oneal at corsaire.com
Sun Aug 16 03:42:53 EDT 2009

> And I agree with you wholeheartedly; we have to deal 
> with XSS and SQLi type issues first. Walk before you 
> run kind of thinking.

I've been following the thread and thought I might dive in now. :)

I would disagree with separating out attacks against the codebase and
SQLi/XSS etc as being opposing ends of a spectrum (well, there may be
Ogre traps and wormhole-resistant y-fronts in there too, but you know
what I mean).  My thinking behind this is two-fold:

The first is, code level issues are trivial to identify in retrospect
just by simple good-practice separation-of-duties around your
versioning, deployment, and monitoring roles/systems. Catching them
proactively isn't so trivial; but if you get the other bits right, and
make sure all your developers know this is the case, then you have an
effective deterrent. Poor quality code and deliberate attacks can be
quickly traced back to an individual. The rest becomes just a normal
man-management issue. 

The second is that XSS and SQLi are issues that have lots of low-hangers
that are indeed trivial to catch (and a good place to start), but they
are next to impossible (especially XSS) to remove entirely from a large,
rapidly changing codebase. Especially one that depends on a framework or
TP code (that periodically have issues themselves). 

I would say it was easy to get the basics right, throughout your
development cycle, by hooking in with the various SDLC programmes that
are out there. Being good, let alone excellent, takes a huge amount of
commitment and investment (both in time and of money).  A quick peek at
what Microsoft have been doing over recent years shows an enormous
investment, with only a modest reduction of the number of issues making
it to the production environment.

Let the flanning commence. :)


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list