[Owasp-codereview] Application Security Code Review using OWASP Resources

Eoin eoinkeary at gmail.com
Tue Jul 8 08:03:09 EDT 2008


Hi,
Read the methodology part of the code review guide, that may help



On 04/07/2008, Joshua Perrymon <josh at packetfocus.com> wrote:
>
>  Hey Guys,
>
>
>
> We have been asked to perform a code review for a  new client next month.
> Most of my experience has been with black-box pentesting, so I'm putting
> together our code review methodology and putting resources together now.
>
>
>
> I'm thinking of doing this in a 4 step process
>
>
>
> 1-      Documentation gathering, business/data flow, input identification,
> code identification
>
> a.       The first step is to understand the application and the data
> flow, understand who is using the application, what code should be reviewed,
> and to gather appropriate documentation, code, and config files
>
> 2-      Content Analysis
>
> a.       Mirror the site to look for broken links, comments, JavaScript,
> forms, etc..
>
> 3-      Strategic Review
>
> a.       Use the OWASP Secure Application Development checklist to
> identify strategic controls (if implemented)
>
> 4-      Code Review
>
> a.       Review the code using a mixture of OWASP top 10 2004-2007 as
> needed for older classic ASP sites.
>
> b.      Combine with white-box pentesting to validate findings and
> controls
>
> c.       Use testing guide and code review guide as supporting documents
>
> d.      Use OWASP tools such as code review tool, LAPSE,TIGER, etc
>
>
>
> I may look at combining items #1-#2 as they are similar.
>
>
>
> Is this sufficient for a smaller/medium sized financial institution? It's
> much more detailed  than they had in the scope of work.
>
>
>
> Joshua Perrymon, CEH, OPST, OPSA
>
> CEO PacketFocus LLC
>
> Josh at packetfocus.com
>
> 1.877.PKT.FOCUS
>
> 1.205.994.6573
>
> www.packetfocus.com
>
>
>
> President Alabama OWASP Chapter www.owasp.org
>
> Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com
>
> www.linkedin.com/in/packetfocus
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080708/6193330c/attachment.html 


More information about the Owasp-codereview mailing list