[Owasp-testing] [Owasp-codereview] Fwd: Code review Structure

Subere at unconvention.org Subere at unconvention.org
Wed Jan 17 13:01:21 EST 2007


> This is why I'm not convinced its necessary to have language specific
> chapters. Most of the information in those chapters applies will apply to
> all languages / frameworks. You can always jump over examples you're not
> interested in, or you can learn from the other language's issues to avoid
> them in your own.

Do not want to sound discouraging on the subject, but this is a code auditing
guide and we are not only facing the equivalent of business logic layer
requirements but are ultimately up against the level of machine language code
generated from different compilers. I have to admit, they do make good
reccomendations and are liked by the client!

Perhaps not every language, but ultimately general language categorizations will
be required. Overflows do not exist in java say, but are there in perl. This
example might be basic; it illustrates the point.

And ultimately we have to look at what people are coding in. Most popular are
java and .net frameworks. There are a number of things you can do in one that
you cannot do in the other. A separation between the two will most definately be
required.

Personal opinions; all comments welcome.

Thanks,

Subere



More information about the Owasp-testing mailing list