WebApp Sec mailing list archives
Re: Fail Open Authentication and Parameter Injection
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Tue, 25 Mar 2003 15:06:11 -0500
Absolutely. The key is coming up with a standard for the review. Saying you're doing a code review is meaningless unless you define what kinds of problems you're looking for. Also, there are lots of ways to "review" the code. Going "line-by-line" is really not optimal from a security perspective in my opinion. You use different techniques for each type of vulnerability. To me, the hardest problems to find are integrity issues and trojans. Integrity is difficult because unless you understand the business rules, you'll never know what should be allowed and what shouldn't. Trojans are supremely difficult, because a strong attacker will obfuscate the attack. If you don't absolutely trust the developers who wrote your code and you haven't reviewed it, you're taking an insane risk. --Jeff ----- Original Message ----- From: Mads Rasmussen To: Jeff Williams @ Aspect ; webappsec () securityfocus com Sent: Tuesday, March 25, 2003 2:00 PM Subject: RES: Fail Open Authentication and Parameter Injection
-----Mensagem original----- De: Jeff Williams @ Aspect [mailto:jeff.williams () aspectsecurity com] Enviada em: terça-feira, 25 de março de 2003 15:34 Para: Dawes, Rogan (ZA - Johannesburg); 'Indian Tiger'; webappsec () securityfocus com Assunto: Re: Fail Open Authentication and Parameter Injection
<snip>
You just can't beat actually looking at the code. You'll need to work
out
a process for reviewing the code and a standard to review against.
You
also need to make sure you've found ALL the code. But a code review
will
give you some real assurance that you've covered everything...in a way that penetration testing never can.
Sure enough but you often have to prioritize opening the possibility of missing something. Something that should get high priority would be 1) authentication 2) content modifying code etc Mads
Current thread:
- RES: Fail Open Authentication and Parameter Injection Mads Rasmussen (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)
- <Possible follow-ups>
- RES: Fail Open Authentication and Parameter Injection Mads Rasmussen (Mar 25)
- Re: RES: Fail Open Authentication and Parameter Injection Mark Curphey (Mar 25)
- Re: Fail Open Authentication and Parameter Injection Jeff Williams @ Aspect (Mar 25)