[Owasp-codereview] How is code reviewing in the world?

Thu Feb 22 14:54:01 EST 2007

*How is code review approached from customers outside Italy?
*
 From the customer side - it's expensive. It doesn't "give" you 
something, it's more like insurance. Or, the customer is being forced to 
do it due to compliance or a failed audit. It's never a pretty scene.

*People *feels* the need that a security consultant can help them 
reviewing their code?
*
Scarry. A security pro simply cannot do a code review. You need a 
developer with security awareness and app security experience in the 
trenches. And thats just the bare minimum skills needed to even get 
started.*

Customers are aware that a code review team can give them some help 
during software development lifecycle improving their applications' 
security?
*
Code review is mostly OUTSIDE of the SDL; usually the code review audit 
team will make SDL recommendations - but these recommendations and 
coming from "outside the circle" of the SDL as external consultants. 
It's not easy to make serious SDL changes unless you get some serious 
management backing. Developers are like cats always going off in their 
own directions....

*How is the world wide marketplace?*

I dunno, but most of my clients want this very cheaply, and I think code 
review (manual review with a tool) is very, very expensive when done 
right (it requires a team....)

*Have you got some experience in doing pre  sales meeting proposing code 
review? How is the customer feels about this?

*I give my clients the process breakdown, try to get a number of lines 
of code so I can bid with the fortify workbench (reviewing other tools 
now), and in general get the scope on a paper signed contract before I 
start. You want pen testing with your code review? You want 
teaching/training with your code review? Want more serious network 
assessment? I can always bring in a bigger team.... (then i just call my 
friends)

The customer is usually very happy about indepth pre-sales review.

Best,
Jim
*
*
Paolo Perego wrote:
> Hi there, I'm back from another presentation about code review and safe
> coding... our customer seemed to be scared about this issues and more 
> prone
> to buy a "do-it-all" tool for code reviewing. So a question arises in my
> mind.
>
> How is code review approached from customers outside Italy? People 
> *feels*
> the need that a security consultant can help them reviewing their code?
> Customers are aware that a code review team can give them some help 
> during
> software development lifecycle improving their applications' security?
> How is the world wide marketplace? Have you got some experience in 
> doing pre
> sales meeting proposing code review? How is the customer feels about 
> this?
>
> I'm so disappointed by italian scene... the common approach is, give a
> developer a tool (a cheap tool is better) and so the security is 
> done... :(
>
> Sorry for this long mail, but I've to know if I've got a wrong vision 
> about
> application security or if everybody in the world it's scared about code
> review and safe coding practices.
>
> sp0nge
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-codereview
>   
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.441 / Virus Database: 268.18.3/697 - Release Date: 2/22/2007 11:55 AM
>   

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim at manico.net
808.652.3805

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-codereview/attachments/20070222/2104c088/attachment.html 