[Owasp-board] [Owasp-codereview] code review guide reboot (CRG V2.0)

Jeff Williams jeff.williams at owasp.org
Thu Jul 22 20:27:49 UTC 2010


> 
> I’d like to volunteer with the business logic code review – been putting it into words lately with developers who assume that a user will use the applications  as they are intended to flow. 
> 
> Manipulating workflows, data flows, authorization flows, etc…
> 
>  
> 
Let's be sure that we're not really talking about access control problems here.  True business logic problems are really important, but you have to understand the business to be able to find them.  Like...the application uses a futzblargh predictive state algorithm to purchase options on the energy market. The snarfblatt algorithm is better because it can't be predicted externally.

I know there are many examples of business logic problems that are like the ones you listed.  They're wrong.  Nevertheless this is a really important area.


> -Fred
> 
> From: owasp-codereview-bounces at lists.owasp.org [mailto:owasp-codereview-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: Thursday, July 22, 2010 7:42 AM
> To: OWASP Foundation Board List
> Cc: Owasp-codereview at lists.owasp.org
> Subject: [Owasp-codereview] code review guide reboot (CRG V2.0)
> 
>  
> 
> hey,
> 
> (first time i have been near a pc in 11 days).
> 
>  
> 
> I am hoping to re-boot the code review guide over the winter.
> 
> Looking for support along the same lines as the testing guide.
> 
>  
> 
> I want to update content significantly as it is a little old, integrate and cross reference with ASVS and Testing guide.
> 
> Use the common numbering nomenclature and cross reference  the other guides.
> 
> More client side aspects need to be added, business logic code review, and also a section on rootkits and trojan code.
> 
>  
> 
> I would like this to go on the board agenda for Aug 3rd, Kate can you make it so?
> 
>  
> 
>  
> 
> Eoin
> 
>  
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> 
> THIS E-MAIL IS INTENDED ONLY FOR THE ADDRESSEE(S) AND MAY CONTAIN
> CONFIDENTIAL INFORMATION.   IF YOU ARE NOT THE INTENDED
>  RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE OF THIS
>  INFORMATION OR DISSEMINATION, DISTRIBUTION OR COPYING OF THIS
>  E-MAIL IS STRICTLY PROHIBITED.  IF YOU HAVE RECEIVED THIS
>  E-MAIL IN ERROR, PLEASE NOTIFY THE SENDER IMMEDIATELY BY RETURN
>  E-MAIL AND DELETE THE ORIGINAL MESSAGE.
> THANK YOU.
> 
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100722/57d42569/attachment-0002.html>


More information about the Owasp-board mailing list