Jeff Williams jeff.williams at aspectsecurity.com
Wed Mar 17 21:41:44 EST 2004

I agree -- this is headed the right direction.  I'd like to see a description of how you figure out all of the following...

- what kind of people you need on the team
- what code exactly is to be reviewed
- the size and complexity of the application to be reviewed
- what "secure" means for this application (business logic issues)
- how to package and deliver code securely for the reviewer
- what configuration information and libraries are included in the review
- what level of rigor is required
- are you going to find all instances of a flaw or only examples
- how do you figure out the risk related to a flaw
- how to write findings for *developers*
- does the review assume malicious developers or not
- whether to search the code or pentest the app
- which techniques are you going to use to find vulnerabilities in the code


  ----- Original Message ----- 
  From: Mark Curphey 
  To: Calderon, Juan Carlos (GE Commercial Finance, NonGE) ; owasp-testing at lists.sourceforge.net 
  Sent: Wednesday, March 17, 2004 9:13 PM
  Subject: RE: [OWASP-TESTING] Updated Doc

  I think its getting into a good logical flow. Its the sort of doc I would like to read which is always how I try and judge things. Then again I read the Beano (comic) so who knows ;-)
  I think your code review section is great. My only thought is that it maybe moving towards the How to do a code review rather than describe the process and the advnatges and disadvantages. IMHO I think that a lot of this would be perfect for the Methodoogy for code reviews which logically fits into Part 2. 
  I guess things I would like to see would be 
  Do you review line by line or perform code "inspection" ?
  Do you check out an entire tree or branches of it etc 
  How do you deal with linked libraries that are not part of your app?
  Are there examples of things that you cant find from static anlaysis ie need runtime ?
  Just my 2 cents

  -----Original Message----- 
  From: Calderon, Juan Carlos (GE Commercial Finance, NonGE) [mailto:juan.calderon at ge.com] 
  Sent: Wed 3/17/2004 7:10 PM 
  To: owasp-testing at lists.sourceforge.net 
  Subject: RE: [OWASP-TESTING] Updated Doc

  NHu.Ƣyzmt-jvjvvm +-.ʭǟ
+-떳b ~ )-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040317/95c7c5e5/attachment.html 

More information about the Owasp-testing mailing list