[Owasp-codereview] Application Security Code Review using OWASP Resources

Fri Jul 4 17:43:17 EDT 2008

Hey Guys,

We have been asked to perform a code review for a  new client next month.
Most of my experience has been with black-box pentesting, so I'm putting
together our code review methodology and putting resources together now.

I'm thinking of doing this in a 4 step process

1-      Documentation gathering, business/data flow, input identification,
code identification

a.       The first step is to understand the application and the data flow,
understand who is using the application, what code should be reviewed, and
to gather appropriate documentation, code, and config files

2-      Content Analysis

a.       Mirror the site to look for broken links, comments, JavaScript,
forms, etc.. 

3-      Strategic Review

a.       Use the OWASP Secure Application Development checklist to identify
strategic controls (if implemented)

4-      Code Review

a.       Review the code using a mixture of OWASP top 10 2004-2007 as needed
for older classic ASP sites.

b.      Combine with white-box pentesting to validate findings and controls

c.       Use testing guide and code review guide as supporting documents

d.      Use OWASP tools such as code review tool, LAPSE,TIGER, etc

I may look at combining items #1-#2 as they are similar.

Is this sufficient for a smaller/medium sized financial institution? It's
much more detailed  than they had in the scope of work.

Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

Josh at packetfocus.com

1.877.PKT.FOCUS

1.205.994.6573

www.packetfocus.com <http://www.packetfocus.com/> 

President Alabama OWASP Chapter www.owasp.org <http://www.owasp.org/> 

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com

www.linkedin.com/in/packetfocus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080704/09a8bc8e/attachment.html 