Penetration Testing mailing list archives
[PEN-TEST] Quality Assurance
From: "Levine, Adam" <Adam.Levine () BANKOFAMERICA COM>
Date: Mon, 16 Oct 2000 17:42:20 -0700
Problem: How to determine that security vulnerabilities are not introduced into program code? Two situations: 1) source code available (e.g., internal development) or 2) only object code available (i.e., vendor supplied) If you have source code, then I would argue that the QA function should perform a compare and review all source code changes to assure that they are performing the intended function. If you only have object code or as an alternative for lower risk applications, it might be acceptable to place your application into a testing utility that tells you about any object code that is not executed during regression testing. Test scripts must include destructive tests (e.g., buffer overflows, control characters). Follow-up with the vendor on any code that is not executed. First question: It's my understanding that testing utilities such as described above are language specific. Can I get feedback from the list on testing utilities that perform the function above and the associated languages handled? Second question: How have people implemented their QA functions for web-related code? Thanks ... Adam
Current thread:
- [PEN-TEST] Quality Assurance Levine, Adam (Oct 16)
- Re: [PEN-TEST] Quality Assurance White Vampire (Oct 17)
- Re: [PEN-TEST] Quality Assurance Alfred Huger (Oct 17)