[OWASP-TESTING] Testing Draft v0.4

Calderon, Juan Carlos (GE Commercial Finance, NonGE) juan.calderon at ge.com
Fri Apr 16 18:09:20 EDT 2004


Thank you Jeff

Phew! I can't belive I have time to read your comment until today. man...

so, First, great points. I totally agree, I'll be adding them as advantages.

Second, I guess the word better describes this is "effective" not "efficient", don't you thing?

Third. Right again. By Third party I mean another person/team, that is not necessarily someone out of your own team or company, a great example is just the one you mention, peer reviews.  In previous drafts I clarify this into a comment in parenthesis, I guess shouldn't get rid of it.

Thank you again,
JC


-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
Sent: Tuesday, April 13, 2004 9:09 PM
To: Calderon, Juan Carlos (GE Commercial Finance, NonGE); OWASP
Subject: Re: [OWASP-TESTING] Testing Draft v0.4


Really nice improvements. I have three comments.

First, I think we should point out two key benefits: completeness and
accuracy.  Completeness is what distinguishes code review from almost every
other approach. Runtime approaches simply can't find problems in code that
doesn't execute.  Accuracy is also extremely important, and code review
produces very low rates of false alarms when compared to penetration
testing.

Second, I think we need to be very clear about whether "SCR is one of the
most efficient techniques" or whether it is "expensive" and "time consuming"
(really the same thing).  I have heard this objection to SCR from a number
of large companies and agencies -- and I don't want to encourage it unless
we really believe this.  In my experience, a reasonable SCR can be
accomplished in the *same* amount of time as a penetration test.  And the
findings will be far more complete and accurate.

Third, I disagree with the point that the review should always be by a
separate team or 3rd party. The most effective SCR is done as part of a peer
review process that has some real security guidelines to follow. Perhaps as
part of Part 2, we can include a checklist for thsi activity.  A 3rd party
review is useful at the right time to obtain some objective opinions.

Just a few opinions -- I'm obviously a huge advocate for SCR, but I'm trying
to be objective here. Let me know if this makes sense.

--Jeff

----- Original Message ----- 
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon at ge.com>
To: "OWASP" <owasp-testing at lists.sourceforge.net>
Sent: Tuesday, April 13, 2004 6:02 PM
Subject: RE: [OWASP-TESTING] Testing Draft v0.4


Hi everyone

I've changed the document with an updated Source Code Review Section, check
it out please

Regards,
JC

PS Thank you Dan for your feedback on last draft, please do the same for
this one, I'd really appreciated it

 <<OWASP Testing Project v0.43.doc>>

>  -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net]  On Behalf Of Harinath
> Sent: Tuesday, April 06, 2004 11:46 AM
> To: OWASP
> Subject: [OWASP-TESTING] Testing Draft v0.4
>
>
> Hi All,
>
> I have updated the document with Reviews and Inspections (Chapter 4) which
I have written.
>
> Awaiting your blastings....
>
> Hari
>
> Harinath V Pudipeddi,
> Software Quality and Engineering
> Res: +91.80.2563 1098
> Mob:+91.98860 01976
> ICQ: 222312082
> http://www.SQaE.com
>
> Testing is not a Skill, It's Attitude
>  << File: OWASP Testing Project v0.4.doc >>





More information about the Owasp-testing mailing list