[Owasp-codereview] White box assessment estimation
daniel.clemens at packetninjas.net
Wed Mar 25 16:02:03 UTC 2015
This is one way to look at it if budgets are the only concern.
There should be a time and materials cost to source code work.
Time - Analysis of core components manually.
Cost - Cost of automated tool use for x lines of code based on your licensing restrictions.
In the end manual review and input tracing while keeping a mental map of the stack in your mind is needed.
LoC regardless of automated or manual is really the only way to prioritize what components will be looked at in a larger code base.
You will still have a budget and time constraints, but cutting out LoC as a way to gauge coverage sounds immature and negligent.
On Mar 25, 2015, at 10:42 AM, Maldonado, Eduardo <eduardomaldonado at kpmg.com.mx> wrote:
> The reason why we estimate the automated assessment in that way is because you can get just few findings in a huge source code, as well as, you can get tons of findings in a small source code. If you see it in this way, estimation based on lines of code is not the right factor to estimate.
O +1 202 747 0043 Ext 7001
F +1 205 449 4731
265 Riverchase Pkwy E. Suite 200
Hoover, AL 35244
More information about the Owasp-codereview