[Owasp-leaders] Code review for backdoors

Gary Robinson gary.robinson at owasp.org
Wed Mar 11 19:38:10 UTC 2015


Hi Ali,

I can confirm the latest version of the code review guide (in progress)
doesn't mention intentional backdoors either.  This does tie in with an
interesting session Cigital put on last week about developers (in house or
3rd party) being the 'bad guy' inserting vulnerabilities/backdoors.

If you have some technical ideas or content let us know.  I've never seen
any technical advice on spotting intentional backdoors, however peer source
code review (and audit or security reviews) would be the best way of
catching this.

Gary

On Wed, Mar 11, 2015 at 7:06 PM, Azzeddine Ramrami <
azzeddine.ramrami at owasp.org> wrote:

> All backdoor exploit the security flaw in the apps. A good code review can
> detect security flaw in the code.
> You can also do a reverse engineering technique or fuzzy testing to detect
> security bugs in the apps.
> Azzeddine
>
> On Wed, Mar 11, 2015 at 8:02 PM, Aaron Guzman <aaron.guzman at owasp.org>
> wrote:
>
>> Backdoors are typically at the hardware or embedded level where its
>> harder to locate. Usually ODMs and OEMs fall victim to this. Typically
>> because they use “backdoors” for debugging and testing purposes during
>> manufacturing. A solution is to test and analyze your code from third
>> parties. Whether thats though IDA or other means.
>> --
>> Aaron G
>> OWASP-LA Board Member
>> Twitter: @scriptingxss
>> Linkedin: http://lnkd.in/bds3MgN
>>
>> On Mar 11, 2015, at 11:27 AM, psiinon <psiinon at gmail.com> wrote:
>>
>> How about: "Dont put them in" ??
>>
>> ;)
>>
>> On Wed, Mar 11, 2015 at 6:22 PM, Ali Khalfan <ali.khalfan at owasp.org>
>> wrote:
>>
>>> The owasp code review guidelines do a great job at looking for
>>> vulnerabilities. However, the will not address intentional vulnerabilities
>>> such as backdoors and logic bombs.
>>>
>>> I wanted to establish such a guideline, but I was wondering if there is
>>> any reference I could fall back on ?
>>>
>>> Ali
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>  _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Azzeddine RAMRAMI
> +33 6 65 48 90 04.
> Enterprise Security Architect
> OWASP Leader (Morocco Chapter)
> Mozilla Security Projects Mentor
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150311/0f7fce11/attachment.html>


More information about the OWASP-Leaders mailing list