Re: Fail Open Authentication and Parameter Injection

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

Absolutely.  The key is coming up with a standard for the review.  Saying
you're doing a code review is meaningless unless you define what kinds of
problems you're looking for.  Also, there are lots of ways to "review" the
code.  Going "line-by-line" is really not optimal from a security
perspective in my opinion.  You use different techniques for each type of
vulnerability.

To me, the hardest problems to find are integrity issues and trojans.
Integrity is difficult because unless you understand the business rules,
you'll never know what should be allowed and what shouldn't.  Trojans are
supremely difficult, because a strong attacker will obfuscate the attack.
If you don't absolutely trust the developers who wrote your code and you
haven't reviewed it, you're taking an insane risk.

--Jeff

----- Original Message -----
From: Mads Rasmussen
To: Jeff Williams @ Aspect ; webappsec () securityfocus com
Sent: Tuesday, March 25, 2003 2:00 PM
Subject: RES: Fail Open Authentication and Parameter Injection




> -----Mensagem original-----
> De: Jeff Williams @ Aspect [mailto:jeff.williams () aspectsecurity com]
> Enviada em: terça-feira, 25 de março de 2003 15:34
> Para: Dawes, Rogan (ZA - Johannesburg); 'Indian Tiger';
> webappsec () securityfocus com
> Assunto: Re: Fail Open Authentication and Parameter Injection

<snip>

> You just can't beat actually looking at the code.  You'll need to work
out
> a process for reviewing the code and a standard to review against.
You
> also need to make sure you've found ALL the code.  But a code review
will
> give you some real assurance that you've covered everything...in a way
> that penetration testing never can.

Sure enough but you often have to prioritize opening the possibility of
missing something.
Something that should get high priority would be

1) authentication
2) content modifying code
etc

Mads