[OWASP-TESTING] Testing Draft v0.4

Jeff Williams jeff.williams at aspectsecurity.com
Tue Apr 13 22:09:17 EDT 2004


Really nice improvements. I have three comments.

First, I think we should point out two key benefits: completeness and
accuracy.  Completeness is what distinguishes code review from almost every
other approach. Runtime approaches simply can't find problems in code that
doesn't execute.  Accuracy is also extremely important, and code review
produces very low rates of false alarms when compared to penetration
testing.

Second, I think we need to be very clear about whether "SCR is one of the
most efficient techniques" or whether it is "expensive" and "time consuming"
(really the same thing).  I have heard this objection to SCR from a number
of large companies and agencies -- and I don't want to encourage it unless
we really believe this.  In my experience, a reasonable SCR can be
accomplished in the *same* amount of time as a penetration test.  And the
findings will be far more complete and accurate.

Third, I disagree with the point that the review should always be by a
separate team or 3rd party. The most effective SCR is done as part of a peer
review process that has some real security guidelines to follow. Perhaps as
part of Part 2, we can include a checklist for thsi activity.  A 3rd party
review is useful at the right time to obtain some objective opinions.

Just a few opinions -- I'm obviously a huge advocate for SCR, but I'm trying
to be objective here. Let me know if this makes sense.

--Jeff

----- Original Message ----- 
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon at ge.com>
To: "OWASP" <owasp-testing at lists.sourceforge.net>
Sent: Tuesday, April 13, 2004 6:02 PM
Subject: RE: [OWASP-TESTING] Testing Draft v0.4


Hi everyone

I've changed the document with an updated Source Code Review Section, check
it out please

Regards,
JC

PS Thank you Dan for your feedback on last draft, please do the same for
this one, I'd really appreciated it

 <<OWASP Testing Project v0.43.doc>>

>  -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net]  On Behalf Of Harinath
> Sent: Tuesday, April 06, 2004 11:46 AM
> To: OWASP
> Subject: [OWASP-TESTING] Testing Draft v0.4
>
>
> Hi All,
>
> I have updated the document with Reviews and Inspections (Chapter 4) which
I have written.
>
> Awaiting your blastings....
>
> Hari
>
> Harinath V Pudipeddi,
> Software Quality and Engineering
> Res: +91.80.2563 1098
> Mob:+91.98860 01976
> ICQ: 222312082
> http://www.SQaE.com
>
> Testing is not a Skill, It's Attitude
>  << File: OWASP Testing Project v0.4.doc >>





More information about the Owasp-testing mailing list