[PEN-TEST] Quality Assurance

["Levine, Adam" <Adam.Levine () BANKOFAMERICA COM>]

Problem:  How to determine that security vulnerabilities are not introduced into
program code?  Two situations:  1) source code available (e.g., internal
development) or 2) only object code available (i.e., vendor supplied)

If you have source code, then I would argue that the QA function should perform
a compare and review all source code changes to assure that they are performing
the intended function.

If you only have object code or as an alternative for lower risk applications,
it might be acceptable to place your application into a testing utility that
tells you about any object code that is not executed during regression testing.
Test scripts must include destructive tests (e.g., buffer overflows, control
characters).  Follow-up with the vendor on any code that is not executed.

First question:  It's my understanding that testing utilities such as described
above are language specific.  Can I get feedback from the list on testing
utilities that perform the function above and the associated languages handled?

Second question:  How have people implemented their QA functions for web-related
code?

Thanks ... Adam