WebApp Sec mailing list archives
Re: RES: Fail Open Authentication and Parameter Injection
From: Mark Curphey <mark () curphey com>
Date: 25 Mar 2003 13:01:56 -0800
For a long time I have been trying to find people who are experts in secure code review to start a secure code review methodology or at least add a section in the OWASP testing methodology. There are a few papers out there but I haven't seen an open methodology that people could provide metrics against or use as a yardstick to judge services. I am not even sure how practical it is to be honest. On Tue, 2003-03-25 at 12:23, Mads Rasmussen wrote:
-----Mensagem original----- De: Jeff Williams @ Aspect [mailto:jeff.williams () aspectsecurity com] Enviada em: terça-feira, 25 de março de 2003 17:06 Para: Mads Rasmussen; webappsec () securityfocus com Assunto: Re: Fail Open Authentication and Parameter Injection Absolutely. The key is coming up with a standard for the review.Sayingyou're doing a code review is meaningless unless you define what kindsofproblems you're looking for. Also, there are lots of ways to "review"thecode. Going "line-by-line" is really not optimal from a security perspective in my opinion. You use different techniques for each typeofvulnerability.It would be nice if OWASP could include some general guidelines on this, I could imagine something like listing some priorities and maybe some examples of how to identify bad codeTo me, the hardest problems to find are integrity issues and trojans. Integrity is difficult because unless you understand the businessrules,you'll never know what should be allowed and what shouldn't. Trojansaresupremely difficult, because a strong attacker will obfuscate theattack.If you don't absolutely trust the developers who wrote your code andyouhaven't reviewed it, you're taking an insane risk.You hit the soft spot, I don't have a clue as how to avoid this. If you must spend time to understand the business rule the code review becomes very time consuming and thus expensive for the client. In this outsourced world trojans seems to be an increasing risk, might be somewhat avoided be testing communication of app with a sniffer, but it won't capture all, Trojan might be time invoked Mads
-- Mark Curphey <mark () curphey com>
Current thread:
- RES: Fail Open Authentication and Parameter Injection Mads Rasmussen (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- <Possible follow-ups>
- RES: Fail Open Authentication and Parameter Injection Mads Rasmussen (Mar 25)
- Re: RES: Fail Open Authentication and Parameter Injection Mark Curphey (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)