|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Fail Open Authentication and Parameter Injection
Date: Tue Mar 25 2003 - 16:31:30 EST
Mads wrote:
> > If you don't absolutely trust the developers who wrote your code and
you
> > haven't reviewed it, you're taking an insane risk.
I don't understand why people think code reviews are so time consuming and expensive. Whether you're pentesting or code reviewing, the goal is to find security holes in the software as quickly as possible. Yes, you can "complete" a penetration test in a short amount of time. But what did you really learn? That some (very) small subset of the possible attacks either works or doesn't work?
I'm convinced that reviewing/searching/scanning the *code* is far more cost-effective than external scanning or penetration testing. You can complete a code review quickly too. You keep the standard short and don't search too hard. In the end, I believe you'll find more of the most important security holes faster by looking at the code.
Imagine that you need to verify that an application implements a business rule without a security flaw. No matter what, you have to figure out how it 'ought' to work. Once you've done that, how are you going to verify it? If you choose to pentest, someone will bang on the site from the outside and attempt to make it malfunction (they also have to detect that it broke, which ain't trivial). If you choose to review the code, you can identify where the rule is implemented, analyze the code, and make findings.
I'll put my money into code review every time.
--Jeff
Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com
Received on Tue Mar 25 16:38:40 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |