|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Fail Open Authentication and Parameter Injection
Date: Tue Mar 25 2003 - 15:06:11 EST
Absolutely. The key is coming up with a standard for the review. Saying you're doing a code review is meaningless unless you define what kinds of problems you're looking for. Also, there are lots of ways to "review" the code. Going "line-by-line" is really not optimal from a security perspective in my opinion. You use different techniques for each type of vulnerability.
To me, the hardest problems to find are integrity issues and trojans. Integrity is difficult because unless you understand the business rules, you'll never know what should be allowed and what shouldn't. Trojans are supremely difficult, because a strong attacker will obfuscate the attack. If you don't absolutely trust the developers who wrote your code and you haven't reviewed it, you're taking an insane risk.
--Jeff
- Original Message ----- From: Mads Rasmussen To: Jeff Williams @ Aspect ; webappsec@securityfocus.com Sent: Tuesday, March 25, 2003 2:00 PM Subject: RES: Fail Open Authentication and Parameter Injection
<snip>
> You just can't beat actually looking at the code. You'll need to work
out
> a process for reviewing the code and a standard to review against.
You
> also need to make sure you've found ALL the code. But a code review
will
> give you some real assurance that you've covered everything...in a way
Sure enough but you often have to prioritize opening the possibility of
missing something.
Something that should get high priority would be
- authentication
- content modifying code etc
Mads Received on Tue Mar 25 15:22:31 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |