[Owasp-codereview] Application Security Code Review using OWASP Resources

monror at comcast.net monror at comcast.net
Wed Jul 23 14:31:08 EDT 2008


Does anyone know how to get the "PHP charset encoder"?

Thanks
-------------- Original message -------------- 
From: Eoin <eoinkeary at gmail.com> 

Hi,
Read the methodology part of the code review guide, that may help


 
On 04/07/2008, Joshua Perrymon <josh at packetfocus.com> wrote: 
Hey Guys,

We have been asked to perform a code review for a  new client next month. Most of my experience has been with black-box pentesting, so I'm putting together our code review methodology and putting resources together now.

I'm thinking of doing this in a 4 step process

1-      Documentation gathering, business/data flow, input identification, code identification
a.       The first step is to understand the application and the data flow, understand who is using the application, what code should be reviewed, and to gather appropriate documentation, code, and config files
2-      Content Analysis
a.       Mirror the site to look for broken links, comments, JavaScript, forms, etc.. 
3-      Strategic Review
a.       Use the OWASP Secure Application Development checklist to identify strategic controls (if implemented)
4-      Code Review
a.       Review the code using a mixture of OWASP top 10 2004-2007 as needed for older classic ASP sites.
b.      Combine with white-box pentesting to validate findings and controls
c.       Use testing guide and code review guide as supporting documents
d.      Use OWASP tools such as code review tool, LAPSE,TIGER, etc

I may look at combining items #1-#2 as they are similar.

Is this sufficient for a smaller/medium sized financial institution? It's much more detailed  than they had in the scope of work.

Joshua Perrymon, CEH, OPST, OPSA
CEO PacketFocus LLC
Josh at packetfocus.com
1.877.PKT.FOCUS
1.205.994.6573
www.packetfocus.com

President Alabama OWASP Chapter www.owasp.org
Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com
www.linkedin.com/in/packetfocus




_______________________________________________
Owasp-codereview mailing list
Owasp-codereview at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-codereview





-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Code_Review_Project 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080723/49a54a9d/attachment.html 
-------------- next part --------------
An embedded message was scrubbed...
From: Eoin <eoinkeary at gmail.com>
Subject: Re: [Owasp-codereview] Application Security Code Review using OWASP
	Resources
Date: Tue, 8 Jul 2008 12:03:29 +0000
Size: 739
Url: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080723/49a54a9d/attachment.mht 


More information about the Owasp-codereview mailing list