[OWASP-TESTING] Testing Draft v0.4

Jeff Williams jeff.williams at aspectsecurity.com
Fri Apr 16 23:31:20 EDT 2004

You know, I've reviewed a lot of code and I don't generally want to see much
design documentation.  In the interest of full disclosure, I should mention
that I seem to be in the minority on this point -- at least among the code
review experts at Aspect.

But there are two important points to consider here.

1) The documentation is NOT TRUTH.  The truth is in the code.  Everything
else is a model or an abstraction.  Very often the code does not work like
the documentation says it should.   So if you do look at docs, you better
have a very skeptical eye.  Remember, NOBODY DOCUMENTS VULNERABILITIES.

2) You don't always have time to review both the documentation AND the code.
I believe your time is better spent in the code, since that's where the
problems are.  Reviewing the documentation can take weeks that soak time
from the effort.  It's just a question of where your hours are best spent.

If a code reviewer is really skilled at reading code for security, having a
ton of documenation is really not necessary.  If it is, that's a problem
with the code, since if the reviewer can't quickly understand it, neither
can anyone else.  And if you can't understand how an application protects
itself or how the security mechanisms work, they're almost certainly broken.


----- Original Message ----- 
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
To: owasp-testing at lists.sourceforge.net
Sent: Friday, April 16, 2004 6:17 PM
Subject: RE: [OWASP-TESTING] Testing Draft v0.4

IMHO the "Use what you have learned" should be a different topic or issue
(as well if you agree with Nish), I think that information in not part of an
specific technique.

-----Original Message-----
From: Nishchal Bhalla [mailto:nishchalbhalla at yahoo.ca]
Sent: Wednesday, April 14, 2004 12:41 AM
To: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
Cc: owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Testing Draft v0.4

I agree the stuff is pretty good. I also agree with jeff's comments and have
a couple of more suggestions, i think we should have another topic which
talks more on the type of documentation that would be useful.
basically DFD and application flow diagram type documents definately help
understand the application code and application flow. what are your thoughts


"Calderon, Juan Carlos (GE Commercial Finance, NonGE)"
<juan.calderon at ge.com> wrote:
Hi everyone

I've changed the document with an updated Source Code Review Section, check
it out please


PS Thank you Dan for your feedback on last draft, please do the same for
this one, I'd really appreciated it


> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Harinath
> Sent: Tuesday, April 06, 2004 11:46 AM
> Subject: [OWASP-TESTING] Testing Draft v0.4
> Hi All,
> I have updated the document with Reviews and Inspections (Chapter 4) which
I have written.
> Awaiting your blastings....
> Hari
> Harinath V Pudipeddi,
> Software Quality and Engineering
> Res: +91! .80.2563 1098
> Mob:+91.98860 01976
> ICQ: 222312082
> http://www.SQaE.com
> Testing is not a Skill, It's Attitude
> << File: OWASP Testing Project v0.4.doc >>

> ATTACHMENT part 2 application/msword name=OWASP Testing Project v0.43.doc

Post your free ad now! Yahoo! Canada Personals

More information about the Owasp-testing mailing list