Re: Fail Open Authentication and Parameter Injection

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

Mads wrote:
> > If you don't absolutely trust the developers who wrote your code and
you
> > haven't reviewed it, you're taking an insane risk.
>
> You hit the soft spot, I don't have a clue as how to avoid this. If you
> must spend time to understand the business rule the code review becomes
> very time consuming and thus expensive for the client.
>
> In this outsourced world trojans seems to be an increasing risk, might
> be somewhat avoided be testing communication of app with a sniffer, but
> it won't capture all, Trojan might be time invoked

I don't understand why people think code reviews are so time consuming and
expensive.  Whether you're pentesting or code reviewing, the goal is to
find security holes in the software as quickly as possible.  Yes, you can
"complete" a penetration test in a short amount of time.  But what did you
really learn? That some (very) small subset of the possible attacks either
works or doesn't work?

I'm convinced that reviewing/searching/scanning the *code* is far more
cost-effective than external scanning or penetration testing.  You can
complete a code review quickly too.  You keep the standard short and don't
search too hard.  In the end, I believe you'll find more of the most
important security holes faster by looking at the code.

Imagine that you need to verify that an application implements a business
rule without a security flaw. No matter what, you have to figure out how
it 'ought' to work.  Once you've done that, how are you going to verify
it?   If you choose to pentest, someone will bang on the site from the
outside and attempt to make it malfunction (they also have to detect that
it broke, which ain't trivial).  If you choose to review the code, you can
identify where the rule is implemented, analyze the code, and make
findings.

I'll put my money into code review every time.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com