[Owasp-codereview] Application Security Code Review using OWASP Resources

davidrook david.rook at realexpayments.com
Thu Jul 24 04:50:20 EDT 2008


Hi Josh - For 1a I'd recommend Threat Modeling for that piece. Its my
favourite approach to gathering all of that information in a structured
and repeatable way. (Sorry for the time its taken for me to reply!)

monror at comcast.net wrote:
> Does anyone know how to get the "PHP charset encoder"?
>
> Thanks
> -------------- Original message -------------- 
> From: Eoin <eoinkeary at gmail.com> 
>
> Hi,
> Read the methodology part of the code review guide, that may help
>
>
>  
> On 04/07/2008, Joshua Perrymon <josh at packetfocus.com> wrote: 
> Hey Guys,
>
> We have been asked to perform a code review for a  new client next month. Most of my experience has been with black-box pentesting, so I'm putting together our code review methodology and putting resources together now.
>
> I'm thinking of doing this in a 4 step process
>
> 1-      Documentation gathering, business/data flow, input identification, code identification
> a.       The first step is to understand the application and the data flow, understand who is using the application, what code should be reviewed, and to gather appropriate documentation, code, and config files
> 2-      Content Analysis
> a.       Mirror the site to look for broken links, comments, JavaScript, forms, etc.. 
> 3-      Strategic Review
> a.       Use the OWASP Secure Application Development checklist to identify strategic controls (if implemented)
> 4-      Code Review
> a.       Review the code using a mixture of OWASP top 10 2004-2007 as needed for older classic ASP sites.
> b.      Combine with white-box pentesting to validate findings and controls
> c.       Use testing guide and code review guide as supporting documents
> d.      Use OWASP tools such as code review tool, LAPSE,TIGER, etc
>
> I may look at combining items #1-#2 as they are similar.
>
> Is this sufficient for a smaller/medium sized financial institution? It's much more detailed  than they had in the scope of work.
>
> Joshua Perrymon, CEH, OPST, OPSA
> CEO PacketFocus LLC
> Josh at packetfocus.com
> 1.877.PKT.FOCUS
> 1.205.994.6573
> www.packetfocus.com
>
> President Alabama OWASP Chapter www.owasp.org
> Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com
> www.linkedin.com/in/packetfocus
>
>
>
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
>
>
>
>
>   
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Owasp-codereview] Application Security Code Review using OWASP
> Resources
> From:
> Eoin <eoinkeary at gmail.com>
> Date:
> Tue, 8 Jul 2008 12:03:29 +0000
> To:
> josh at packetfocus.com
>
> To:
> josh at packetfocus.com
> CC:
> owasp-codereview at lists.owasp.org
>
> Content-Type:
> Multipart/mixed; boundary="NextPart_Webmail_9m3u9jl4l_25137_1216837868_2"
>
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-codereview mailing list
> Owasp-codereview at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>   

-- 
David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Realex Payments, Dublin, www.realexpayments.com
Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538

Realex Payments, London, www.realexpayments.co.uk
1 Hammersmith Grove, London W6 0NB, England
Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is registered in Ireland, company number 324929.

This mail and any documents attached are classified as confidential and
are intended for use by the addressee(s) only unless otherwise
indicated. If you are not an intended recipient of this email, you must
not use, disclose, copy, distribute or retain this message or any part
of it. If you have received this email in error, please notify us
immediately and delete all copies of this email from your computer
system(s). 
--



More information about the Owasp-codereview mailing list