RES: Fail Open Authentication and Parameter Injection

> -----Mensagem original-----
Saying
> you're doing a code review is meaningless unless you define what kinds
of
> problems you're looking for. Also, there are lots of ways to "review"
the
> code. Going "line-by-line" is really not optimal from a security
of
> vulnerability.

It would be nice if OWASP could include some general guidelines on this, I could imagine something like listing some priorities and maybe some examples of how to identify bad code  

> To me, the hardest problems to find are integrity issues and trojans.
rules,
> you'll never know what should be allowed and what shouldn't. Trojans
are
> supremely difficult, because a strong attacker will obfuscate the
attack.
> If you don't absolutely trust the developers who wrote your code and
you
> haven't reviewed it, you're taking an insane risk.

You hit the soft spot, I don't have a clue as how to avoid this. If you must spend time to understand the business rule the code review becomes very time consuming and thus expensive for the client.

In this outsourced world trojans seems to be an increasing risk, might be somewhat avoided be testing communication of app with a sniffer, but it won't capture all, Trojan might be time invoked

Mads Received on Tue Mar 25 15:51:22 2003