[Owasp-ireland] OWASP Code Review Guide V1.1 2008

Eoin eoin.keary at owasp.org
Mon Apr 19 06:41:04 EDT 2010


Hi Shivi,

Detective measures can not (normally) be examined using pen testing such as
:
(Some of these would not be performed during runtime testing as the tests
may be too invasive on production systems.)

CRLF/Audit attacking: Damaging log integrity or logging untrusted input to
logs directly without any input validation, sanitisation, length checking.
Logger DoS: Log overflow which may cause availability issues on some systems
due to poor error handling.

Auditing/Logging: at the correct place, information leakage, privacy,
logging the right things.

Denial of service: Generally you wont test for this during a penetration
test but you can detect this very easily with code review: broken logic,
infinite loops, buffer overflows etc

Resource management: Database connection pool release, file handle release
etc in the event of an error.

Error handling: Fail open, Default secure posture in the event of an error.







On 19 April 2010 10:32, Shivi Arora <sa0031333 at techmahindra.com> wrote:

>  Hi Eoin,
>
>
>
> First of all thanks and congratulations for producing such a document which
> is of great help in application security code review. Fantastic work.
>
>
>
> I have read the OWASP Code Review Guide V1.1 2008 and have a small
> question. In the guide, I read a line “There are also dozens of serious
> security problems that simply can't be found any other way”.
>
>
>
> As a code review analyst, it feels great to see some stuff like this. Would
> it be possible for you (OWASP) to list down these dozen of security issues
> which can never be identified by any other way along with the reason? It
> would be of great help.
>
>
>
> Waiting to listen from your side.
>
>
>
> Thank You,
>
>
>
> *Shivi Arora**| **Security Services **| **Tech Mahindra*
>
> *(** Office: +91 **22** **66882000**| **Extn:-6376**   | **Cell: +91
> 9820815092*
>
> *Email: shivi.arora at techmahindra.com ***
>
> *www.techmahindra.com*
>
>
>
>
>
>
>
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally and http://tim.techmahindra.com/Disclaimer.html internally within Tech Mahindra.============================================================================================================================
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100419/24e079fa/attachment.html 


More information about the Owasp-ireland mailing list